LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-07-2013, 08:56 AM   #1
jbdkz
LQ Newbie
 
Registered: Jan 2013
Posts: 11

Rep: Reputation: Disabled
Question Proper iptables rule for vsftpd


I am trying to brush up on my RHEL skills. I have a virtual RHEL6.4 Beta server with vsftpd installed. I have created an iptables rule by issuing the following command:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
service iptables save
service iptables restart

But am unable to get to the FTP site from a Windows 2003 sever running wsftp.

If I disable ipchains I can get to the FTP site without a problem.

I would like to get to the ftp site using both active and passive ftp.

Thanks!

John
 
Old 04-07-2013, 10:30 AM   #2
rayfordj
Member
 
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 475

Rep: Reputation: 73
It's been a while since I set one up, but here's the gist of it and you'll want to ensure the rules are present before the typically found -j REJECT at the end of the INPUT chain. For ftp as you describe, I believe you'll need 20 & 21, ESTABLISHED & RELATED, and the nf_conntrack_ftp module. You may have some combination of this already satisfied. The good news is we at least know it is firewall related since you can disable netfilter rules and it works.



Code:
iptables -A INPUT -m tcp -p tcp -m multiport --dports 20,21 -m state --state NEW -j ACCEPT -m comment --comment " FTP Server "
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Code:
modprobe nf_conntrack_ftp
If that works, you can add the nf_conntrack_ftp to /etc/sysconfig/iptables-config in the IPTABLES_MODULES="" variable, so it is loaded when iptables/netfilter rules are applied.
 
1 members found this post helpful.
Old 04-07-2013, 10:56 AM   #3
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 339
Blog Entries: 3

Rep: Reputation: 47
Show us the output of 'iptables -L -v -n' command.
 
Old 04-07-2013, 10:16 PM   #4
jbdkz
LQ Newbie
 
Registered: Jan 2013
Posts: 11

Original Poster
Rep: Reputation: Disabled
FTP IPTABLES problem fixed

rayfordj,

Your iptables rules plus reordering the REJECTs so that they are below the ACCEPTs has resolved the problem!

Attached are the before and after pictures of my /etc/sysconfig/iptables file.

Thanks!

John
Attached Images
File Type: jpg Before.JPG (40.6 KB, 11 views)
File Type: jpg After.JPG (48.5 KB, 10 views)
 
Old 04-07-2013, 10:23 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
Just out of curiosity, why RHEL6.4 Beta ? The PROD release has been out for a while, in fact so has the Centos one as well.
 
Old 04-09-2013, 01:35 PM   #6
jbdkz
LQ Newbie
 
Registered: Jan 2013
Posts: 11

Original Poster
Rep: Reputation: Disabled
Crism01, I chose RHEL 6.4 Beta because I don't have a RH subscription and this was the closest thing to RHEL that I would see in the workplace. I also didn't want the eval time to expire before I was done.

After doing some reading it looks like I could have used Centos as well.

John
 
Old 04-09-2013, 09:11 PM   #7
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
Indeed , but my point is you don't need the Beta version; the full prod version (of both RHEL & Centos) has been out for a while.
The Beta is not fully baked, hence the name
(Centos is pretty much identical to RHEL, minus a few RH proprietary bits like logos and the rhn connection sw.)
 
Old 04-09-2013, 11:14 PM   #8
jbdkz
LQ Newbie
 
Registered: Jan 2013
Posts: 11

Original Poster
Rep: Reputation: Disabled
Thanks for the feedback Chris, I shall use Centos (or a prod version of RHEL) in order to brush up on my skills.

John
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: rule with RETURN target just after a rule with ACCEPT target Nerox Linux - Networking 6 09-04-2011 04:33 PM
iptables rule kim_bcs Linux - Security 1 01-28-2011 10:34 AM
iptables rule bkcreddy17 Linux - Security 2 01-20-2009 07:38 AM
iptables rule DJ29Joesph Linux - Security 4 11-04-2008 01:55 AM
IPTables Rule... Grim Reaper Linux - Software 8 04-28-2003 01:20 PM


All times are GMT -5. The time now is 11:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration