LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-30-2006, 10:22 PM   #1
sir-lancealot!
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Rep: Reputation: 0
centos - firewall up - ftp no permissions


Evening all, not sure but figured security was the right place to post this. Bascially I have a cent-os 4 machine with up to date patches.

I am hosting several websites and had an issue with FTP so left the FW off, but now this box is live and if I enable the FW, allow each, ssh, mail, etc. all work fine yet FTP does not. If I connect with a GUI app from any OS such as Fetch, Dreamweaver, Quanta I get "connection refused" where the / var / log / messages shows the following;

Aug 30 21:57:35 hobbs pure-ftpd: (?@x.x.x.x) [INFO] New connection from x.x.x.x
Aug 30 21:57:35 hobbs pure-ftpd: (?@x.x.x.x) [INFO] jinxster is now logged in
Aug 30 21:57:36 hobbs pure-ftpd: (jinxster@x.x.x.x) [INFO] Logout.


so it see's the connect and according to the above log's lets you in yet the client gets a refused.
Also, if you command line from the same client; you get the following;

[lance@localhost ~]$ ftp
ftp> open
(to) x.x.x.x
Connected to x.x.x.x
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 22:11. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
500 This security scheme is not implemented
500 This security scheme is not implemented
KERBEROS_V4 rejected as an authentication type
Name (x.x.x.x:lance): lance
331 User lance OK. Password required
Password:
230-User lance has group access to: lance
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (x.x.x.x,224,97)
ftp: connect: No route to host


IPTables look like this;

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


I tried using vsftp as well as pure-ftp so I know it's not that. Sorry for such a long post, but I am pulling what's left of my hair out, thank you for the time and any suggestions.

--Lance--
 
Old 08-30-2006, 10:44 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Try loading the ip_conntrack_ftp module. Basically, iptables often has a hard time maintaining the connection when you initiate the data channel in passive FTP and doesn't recognize it as part of an established connection. Also, does FTP work with the firewall off?
 
Old 08-30-2006, 10:48 PM   #3
sir-lancealot!
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Original Poster
Rep: Reputation: 0
reading into the ip_conntrack_ftp module now. As for the 2nd question, yes, if I turn off the FW, you can successfully ftp in and keep your connection. Thanks for the quick reply, will let u know progress.

Also, any idea what ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 line does? I planed on looking into that but for now just want FTP working.

lance
 
Old 08-30-2006, 10:57 PM   #4
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
I read somewhere that you need the ip_contrack_ftp loaded.
This link may provide details: http://www.laser.dist.unige.it/Repos...p_conntrack%22

The first example iptables entry given by [/i]notwerk[/i] in http://www.linuxquestions.org/questi...cess+conntrack
might be useful if you are using active ftp.
 
Old 08-30-2006, 11:03 PM   #5
sir-lancealot!
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Original Poster
Rep: Reputation: 0
great, I'm on EST so the pdf is now open, will look 1st thing, thank you again for the prompt replies and will post in the am ...
 
Old 08-31-2006, 01:52 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by sir-lancealot!
reading into the ip_conntrack_ftp module now.
Cool, as root you'll need to do: modprobe ip_conntrack_ftp

Quote:
Also, any idea what ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 line does?
Accepts Multicast DNS traffic (mDNSResponder daemon). AFAIK, it allows compatibility with Zeroconf and some Apple protocols like Rendevous and Bonjour.
 
Old 08-31-2006, 11:25 AM   #7
sir-lancealot!
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Bingo.. The modprobe worked like a charm. Now since I am not that saavy (getting there), so how can I start this on reboot?

I know I can throw it into the rc.local file which I bet is the wrong way of doing it. Looked in the modprobe.conf file but only a few lines and no options.

I read some more and saw someone mentioning in /etc/rc.d/init.d/iptables
to do the following;
Change;
IPTABLES_MODULES=""
To;
IPTABLES_MODULES="ip_conntrack_ftp"

Now that to me says when iptables starts to use that module, is that the case.

Either way I now see it working, so thank you very much for the help and such prompt replies. This is my personal box which my buddy helped setup, I know a lot of the things I do all the time and don't really know what / why it works, so I am trying to get the answeres by readnig more and understanding vs. calling him all the time.

Again, thank you very much
 
Old 08-31-2006, 05:40 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
I know I can throw it into the rc.local file which I bet is the wrong way of doing it. Looked in the modprobe.conf file but only a few lines and no options.
I read some more and saw someone mentioning in /etc/rc.d/init.d/iptables
to do the following;
Change;
IPTABLES_MODULES=""
To;
IPTABLES_MODULES="ip_conntrack_ftp"
Either way will work. Putting it in the init.d script is probably the more "elegant" solution though.

Quote:
I know a lot of the things I do all the time and don't really know what / why it works, so I am trying to get the answeres by readnig more and understanding vs. calling him all the time.
Hang in there. It can be frustrating struggling with these little nuances, but keep reading docs and making it a point to try to figure things out yourself (it seems like you are) and pretty soon you'll be a guru. Besides, getting passive FTP to work with iptables is pretty tricky and most people struggle with it (I know I did).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS 4.3 Outside of Firewall msound Linux - Security 1 08-22-2006 08:58 PM
FTP permissions...HELP!!! Crog Linux - Newbie 4 05-28-2006 02:59 AM
CentOS Opening port for FTP Server Thin Linux - Distributions 3 11-16-2005 12:38 PM
update centos 4 rc1 to centos 4 trou yum? maxut cAos 2 03-04-2005 03:36 AM
FTP Permissions Wynd Linux - General 4 11-04-2003 09:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration