centos - firewall up - ftp no permissions
Evening all, not sure but figured security was the right place to post this. Bascially I have a cent-os 4 machine with up to date patches.
I am hosting several websites and had an issue with FTP so left the FW off, but now this box is live and if I enable the FW, allow each, ssh, mail, etc. all work fine yet FTP does not. If I connect with a GUI app from any OS such as Fetch, Dreamweaver, Quanta I get "connection refused" where the / var / log / messages shows the following; Aug 30 21:57:35 hobbs pure-ftpd: (?@x.x.x.x) [INFO] New connection from x.x.x.x Aug 30 21:57:35 hobbs pure-ftpd: (?@x.x.x.x) [INFO] jinxster is now logged in Aug 30 21:57:36 hobbs pure-ftpd: (jinxster@x.x.x.x) [INFO] Logout. so it see's the connect and according to the above log's lets you in yet the client gets a refused. Also, if you command line from the same client; you get the following; [lance@localhost ~]$ ftp ftp> open (to) x.x.x.x Connected to x.x.x.x 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 2 of 50 allowed. 220-Local time is now 22:11. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. 500 This security scheme is not implemented 500 This security scheme is not implemented KERBEROS_V4 rejected as an authentication type Name (x.x.x.x:lance): lance 331 User lance OK. Password required Password: 230-User lance has group access to: lance 230 OK. Current restricted directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (x.x.x.x,224,97) ftp: connect: No route to host IPTables look like this; Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http REJECT all -- anywhere anywhere reject-with icmp-host-prohibited I tried using vsftp as well as pure-ftp so I know it's not that. Sorry for such a long post, but I am pulling what's left of my hair out, thank you for the time and any suggestions. --Lance-- |
Try loading the ip_conntrack_ftp module. Basically, iptables often has a hard time maintaining the connection when you initiate the data channel in passive FTP and doesn't recognize it as part of an established connection. Also, does FTP work with the firewall off?
|
reading into the ip_conntrack_ftp module now. As for the 2nd question, yes, if I turn off the FW, you can successfully ftp in and keep your connection. Thanks for the quick reply, will let u know progress.
Also, any idea what ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 line does? I planed on looking into that but for now just want FTP working. lance |
I read somewhere that you need the ip_contrack_ftp loaded.
This link may provide details: http://www.laser.dist.unige.it/Repos...p_conntrack%22 The first example iptables entry given by [/i]notwerk[/i] in http://www.linuxquestions.org/questi...cess+conntrack might be useful if you are using active ftp. |
great, I'm on EST so the pdf is now open, will look 1st thing, thank you again for the prompt replies and will post in the am ...
|
Quote:
Quote:
|
Bingo.. The modprobe worked like a charm. Now since I am not that saavy (getting there), so how can I start this on reboot?
I know I can throw it into the rc.local file which I bet is the wrong way of doing it. Looked in the modprobe.conf file but only a few lines and no options. I read some more and saw someone mentioning in /etc/rc.d/init.d/iptables to do the following; Change; IPTABLES_MODULES="" To; IPTABLES_MODULES="ip_conntrack_ftp" Now that to me says when iptables starts to use that module, is that the case. Either way I now see it working, so thank you very much for the help and such prompt replies. This is my personal box which my buddy helped setup, I know a lot of the things I do all the time and don't really know what / why it works, so I am trying to get the answeres by readnig more and understanding vs. calling him all the time. Again, thank you very much |
Quote:
Quote:
|
All times are GMT -5. The time now is 01:45 AM. |