LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-18-2007, 06:05 PM   #1
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Red face Enabling FTP


I am currently setting up a Linux Server I have recently built and have used yum to install vsftpd on to it, however I am currently unable to open an external FTP connection to this machine.

I am thinking what I am putting into iptables is the problem, so I am wondering what I should be putting in to bring up ftp securely. Any help would be appreciated.
 
Old 10-18-2007, 06:25 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Just open TCP port 21 and have a rule for RELATED and ESTABLISHED packets.

Example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
Also make sure you load the ip_conntrack_ftp helper module unless you compiled it in.
 
Old 10-18-2007, 06:43 PM   #3
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Original Poster
Rep: Reputation: 217Reputation: 217Reputation: 217
Thanks for the quick reply, That's modprobe ip_conntrack_ftp right? I am not experienced with Linux unforantly, mainly used GUIs in the past to my some what shame...

Darn thing still doesn't wanna establish connections with other machines for FTP =/... can FTP it from itself but I am guessing it's still firewalling it... SSHed into a machine on the same site so there shouldn't be anything between those two machines that would block FTP at all. Is their anything (stupidly) obvious I should check?

Last edited by r3sistance; 10-18-2007 at 06:44 PM.
 
Old 10-18-2007, 06:45 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Yes, you'd use modprobe. Can you post your active iptables configuration?
Code:
iptables -nvL
Please use code tags when you do so.
 
Old 10-18-2007, 06:52 PM   #5
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Original Poster
Rep: Reputation: 217Reputation: 217Reputation: 217
Ok

Code:
[root@synbios ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                      
  667 64730 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.                                                                                                                     0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                      
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.                                                                                                                     0.0.0/0

Chain OUTPUT (policy ACCEPT 501 packets, 89113 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                      

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                      
   88  5734 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0                                                                                                                        
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                        
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                        
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251                                                                                                                              udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                udp dpt:631
  414 32899 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                state RELATED,ESTABLISHED
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                state NEW tcp dpt:22
  163 25993 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                reject-with icmp-host-prohibited
I tried those two lines you gave me, and various other things and I swear the information in iptables isn't changing... but meh, my Linux knowledge sucks unforantly ^^;;.

Last edited by r3sistance; 10-18-2007 at 06:53 PM.
 
Old 10-18-2007, 07:06 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by r3sistance View Post
I tried those two lines you gave me, and various other things and I swear the information in iptables isn't changing... but meh, my Linux knowledge sucks unforantly ^^;;.
Yeah, they were meant as examples which would have to be tailored to your setup.

In any case, this should do the trick (from what I see in your post):
Code:
iptables -I RH-Firewall-1-INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
You don't need the RELATED,ESTABLISHED rule I posted because you already have one set.

Last edited by win32sux; 10-18-2007 at 07:08 PM.
 
Old 10-18-2007, 07:17 PM   #7
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Original Poster
Rep: Reputation: 217Reputation: 217Reputation: 217
Quote:
Originally Posted by win32sux View Post
Yeah, they were meant as examples which would have to be tailored to your setup.

In any case, this should do the trick (from what I see in your post):
Code:
iptables -I RH-Firewall-1-INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
You don't need the RELATED,ESTABLISHED rule I posted because you already have one set.
errr... sorry about that then ^^;;... anyway thanks, that seems to have done the job nicely. I really need to learn Linux correctly one of these days .
 
Old 10-18-2007, 08:12 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Glad it worked.

BTW, remember that for this config to survive a reboot you need to do a:
Code:
service iptables save
 
Old 10-19-2007, 12:36 PM   #9
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Original Poster
Rep: Reputation: 217Reputation: 217Reputation: 217
Hmm ok. Thanks, this machine is mainly for development purposes so it's not a major thing needing FTP up all time anyway ^^;;.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
when I use ftp://user@ftp.blah.com it works. But when I type just ftp.blah.com says.. hunterhunter Linux - General 15 03-05-2014 10:12 AM
enabling virtual users in pure-ftp? Red Squirrel Linux - Software 0 08-20-2005 06:18 PM
FTP Server Up and running... how do I hide ftp users from local login screen? joe1031 Mandriva 2 03-18-2005 05:24 PM
problem with ftp on mandrake 10.1 Official, ftp speeds system wide (anybody noticed?) equinox Mandriva 15 11-10-2004 03:07 PM
enabling telnet and ftp nelly_boy Linux - Software 2 06-07-2003 12:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration