centos - firewall up - ftp no permissions
 

Evening all, not sure but figured security was the right place to post this. Bascially I have a cent-os 4 machine with up to date patches.

I am hosting several websites and had an issue with FTP so left the FW off, but now this box is live and if I enable the FW, allow each, ssh, mail, etc. all work fine yet FTP does not. If I connect with a GUI app from any OS such as Fetch, Dreamweaver, Quanta I get "connection refused" where the / var / log / messages shows the following;

Aug 30 21:57:35 hobbs pure-ftpd: (?@x.x.x.x) [INFO] New connection from x.x.x.x
Aug 30 21:57:35 hobbs pure-ftpd: (?@x.x.x.x) [INFO] jinxster is now logged in
Aug 30 21:57:36 hobbs pure-ftpd: (jinxster@x.x.x.x) [INFO] Logout.

so it see's the connect and according to the above log's lets you in yet the client gets a refused.
Also, if you command line from the same client; you get the following;

[lance@localhost ~]$ ftp
ftp> open
(to) x.x.x.x
Connected to x.x.x.x
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 22:11. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
500 This security scheme is not implemented
500 This security scheme is not implemented
KERBEROS_V4 rejected as an authentication type
Name (x.x.x.x:lance): lance
331 User lance OK. Password required
Password:
230-User lance has group access to: lance
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (x.x.x.x,224,97)
ftp: connect: No route to host

IPTables look like this;

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


I tried using vsftp as well as pure-ftp so I know it's not that. Sorry for such a long post, but I am pulling what's left of my hair out, thank you for the time and any suggestions.

--Lance--

Try loading the ip_conntrack_ftp module. Basically, iptables often has a hard time maintaining the connection when you initiate the data channel in passive FTP and doesn't recognize it as part of an established connection. Also, does FTP work with the firewall off?

reading into the ip_conntrack_ftp module now. As for the 2nd question, yes, if I turn off the FW, you can successfully ftp in and keep your connection. Thanks for the quick reply, will let u know progress.

Also, any idea what ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 line does? I planed on looking into that but for now just want FTP working.

lance

I read somewhere that you need the ip_contrack_ftp loaded.
This link may provide details: http://www.laser.dist.unige.it/Repos...p_conntrack%22

The first example iptables entry given by [/i]notwerk[/i] in http://www.linuxquestions.org/questi...cess+conntrack
might be useful if you are using active ftp.

great, I'm on EST so the pdf is now open, will look 1st thing, thank you again for the prompt replies and will post in the am ...

Cool, as root you'll need to do: modprobe ip_conntrack_ftp

Accepts Multicast DNS traffic (mDNSResponder daemon). AFAIK, it allows compatibility with Zeroconf and some Apple protocols like Rendevous and Bonjour.

Bingo.. The modprobe worked like a charm. Now since I am not that saavy (getting there), so how can I start this on reboot?

I know I can throw it into the rc.local file which I bet is the wrong way of doing it. Looked in the modprobe.conf file but only a few lines and no options.

I read some more and saw someone mentioning in /etc/rc.d/init.d/iptables
to do the following;
Change;
IPTABLES_MODULES=""
To;
IPTABLES_MODULES="ip_conntrack_ftp"

Now that to me says when iptables starts to use that module, is that the case.

Either way I now see it working, so thank you very much for the help and such prompt replies. This is my personal box which my buddy helped setup, I know a lot of the things I do all the time and don't really know what / why it works, so I am trying to get the answeres by readnig more and understanding vs. calling him all the time.

Again, thank you very much

Either way will work. Putting it in the init.d script is probably the more "elegant" solution though.

Hang in there. It can be frustrating struggling with these little nuances, but keep reading docs and making it a point to try to figure things out yourself (it seems like you are) and pretty soon you'll be a guru. Besides, getting passive FTP to work with iptables is pretty tricky and most people struggle with it (I know I did).