Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-30-2006, 10:22 PM
|
#1
|
LQ Newbie
Registered: Aug 2006
Posts: 19
Rep:
|
centos - firewall up - ftp no permissions
Evening all, not sure but figured security was the right place to post this. Bascially I have a cent-os 4 machine with up to date patches.
I am hosting several websites and had an issue with FTP so left the FW off, but now this box is live and if I enable the FW, allow each, ssh, mail, etc. all work fine yet FTP does not. If I connect with a GUI app from any OS such as Fetch, Dreamweaver, Quanta I get "connection refused" where the / var / log / messages shows the following;
Aug 30 21:57:35 hobbs pure-ftpd: (?@x.x.x.x) [INFO] New connection from x.x.x.x
Aug 30 21:57:35 hobbs pure-ftpd: (?@x.x.x.x) [INFO] jinxster is now logged in
Aug 30 21:57:36 hobbs pure-ftpd: (jinxster@x.x.x.x) [INFO] Logout.
so it see's the connect and according to the above log's lets you in yet the client gets a refused.
Also, if you command line from the same client; you get the following;
[lance@localhost ~]$ ftp
ftp> open
(to) x.x.x.x
Connected to x.x.x.x
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 22:11. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
500 This security scheme is not implemented
500 This security scheme is not implemented
KERBEROS_V4 rejected as an authentication type
Name (x.x.x.x:lance): lance
331 User lance OK. Password required
Password:
230-User lance has group access to: lance
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (x.x.x.x,224,97)
ftp: connect: No route to host
IPTables look like this;
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I tried using vsftp as well as pure-ftp so I know it's not that. Sorry for such a long post, but I am pulling what's left of my hair out, thank you for the time and any suggestions.
--Lance--
|
|
|
08-30-2006, 10:44 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Try loading the ip_conntrack_ftp module. Basically, iptables often has a hard time maintaining the connection when you initiate the data channel in passive FTP and doesn't recognize it as part of an established connection. Also, does FTP work with the firewall off?
|
|
|
08-30-2006, 10:48 PM
|
#3
|
LQ Newbie
Registered: Aug 2006
Posts: 19
Original Poster
Rep:
|
reading into the ip_conntrack_ftp module now. As for the 2nd question, yes, if I turn off the FW, you can successfully ftp in and keep your connection. Thanks for the quick reply, will let u know progress.
Also, any idea what ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 line does? I planed on looking into that but for now just want FTP working.
lance
|
|
|
08-30-2006, 11:03 PM
|
#5
|
LQ Newbie
Registered: Aug 2006
Posts: 19
Original Poster
Rep:
|
great, I'm on EST so the pdf is now open, will look 1st thing, thank you again for the prompt replies and will post in the am ...
|
|
|
08-31-2006, 01:52 AM
|
#6
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by sir-lancealot!
reading into the ip_conntrack_ftp module now.
|
Cool, as root you'll need to do: modprobe ip_conntrack_ftp
Quote:
Also, any idea what ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 line does?
|
Accepts Multicast DNS traffic (mDNSResponder daemon). AFAIK, it allows compatibility with Zeroconf and some Apple protocols like Rendevous and Bonjour.
|
|
|
08-31-2006, 11:25 AM
|
#7
|
LQ Newbie
Registered: Aug 2006
Posts: 19
Original Poster
Rep:
|
Bingo.. The modprobe worked like a charm. Now since I am not that saavy (getting there), so how can I start this on reboot?
I know I can throw it into the rc.local file which I bet is the wrong way of doing it. Looked in the modprobe.conf file but only a few lines and no options.
I read some more and saw someone mentioning in /etc/rc.d/init.d/iptables
to do the following;
Change;
IPTABLES_MODULES=""
To;
IPTABLES_MODULES="ip_conntrack_ftp"
Now that to me says when iptables starts to use that module, is that the case.
Either way I now see it working, so thank you very much for the help and such prompt replies. This is my personal box which my buddy helped setup, I know a lot of the things I do all the time and don't really know what / why it works, so I am trying to get the answeres by readnig more and understanding vs. calling him all the time.
Again, thank you very much
|
|
|
08-31-2006, 05:40 PM
|
#8
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
I know I can throw it into the rc.local file which I bet is the wrong way of doing it. Looked in the modprobe.conf file but only a few lines and no options.
I read some more and saw someone mentioning in /etc/rc.d/init.d/iptables
to do the following;
Change;
IPTABLES_MODULES=""
To;
IPTABLES_MODULES="ip_conntrack_ftp"
|
Either way will work. Putting it in the init.d script is probably the more "elegant" solution though.
Quote:
I know a lot of the things I do all the time and don't really know what / why it works, so I am trying to get the answeres by readnig more and understanding vs. calling him all the time.
|
Hang in there. It can be frustrating struggling with these little nuances, but keep reading docs and making it a point to try to figure things out yourself (it seems like you are) and pretty soon you'll be a guru. Besides, getting passive FTP to work with iptables is pretty tricky and most people struggle with it (I know I did).
|
|
|
All times are GMT -5. The time now is 11:35 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|