Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-18-2007, 06:05 PM
|
#1
|
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375
|
Enabling FTP
I am currently setting up a Linux Server I have recently built and have used yum to install vsftpd on to it, however I am currently unable to open an external FTP connection to this machine.
I am thinking what I am putting into iptables is the problem, so I am wondering what I should be putting in to bring up ftp securely. Any help would be appreciated.
|
|
|
10-18-2007, 06:25 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Just open TCP port 21 and have a rule for RELATED and ESTABLISHED packets.
Example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
Also make sure you load the ip_conntrack_ftp helper module unless you compiled it in.
|
|
|
10-18-2007, 06:43 PM
|
#3
|
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375
Original Poster
|
Thanks for the quick reply, That's modprobe ip_conntrack_ftp right? I am not experienced with Linux unforantly, mainly used GUIs in the past to my some what shame...
Darn thing still doesn't wanna establish connections with other machines for FTP =/... can FTP it from itself but I am guessing it's still firewalling it... SSHed into a machine on the same site so there shouldn't be anything between those two machines that would block FTP at all. Is their anything (stupidly) obvious I should check?
Last edited by r3sistance; 10-18-2007 at 06:44 PM.
|
|
|
10-18-2007, 06:45 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Yes, you'd use modprobe. Can you post your active iptables configuration? Please use code tags when you do so.
|
|
|
10-18-2007, 06:52 PM
|
#5
|
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375
Original Poster
|
Ok
Code:
[root@synbios ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
667 64730 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0. 0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0. 0.0.0/0
Chain OUTPUT (policy ACCEPT 501 packets, 89113 bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
88 5734 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
414 32899 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
163 25993 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
I tried those two lines you gave me, and various other things and I swear the information in iptables isn't changing... but meh, my Linux knowledge sucks unforantly ^^;;.
Last edited by r3sistance; 10-18-2007 at 06:53 PM.
|
|
|
10-18-2007, 07:06 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by r3sistance
I tried those two lines you gave me, and various other things and I swear the information in iptables isn't changing... but meh, my Linux knowledge sucks unforantly ^^;;.
|
Yeah, they were meant as examples which would have to be tailored to your setup.
In any case, this should do the trick (from what I see in your post):
Code:
iptables -I RH-Firewall-1-INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
You don't need the RELATED,ESTABLISHED rule I posted because you already have one set.
Last edited by win32sux; 10-18-2007 at 07:08 PM.
|
|
|
10-18-2007, 07:17 PM
|
#7
|
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375
Original Poster
|
Quote:
Originally Posted by win32sux
Yeah, they were meant as examples which would have to be tailored to your setup.
In any case, this should do the trick (from what I see in your post):
Code:
iptables -I RH-Firewall-1-INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
You don't need the RELATED,ESTABLISHED rule I posted because you already have one set.
|
errr... sorry about that then ^^;;... anyway thanks, that seems to have done the job nicely. I really need to learn Linux correctly one of these days .
|
|
|
10-18-2007, 08:12 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Glad it worked.
BTW, remember that for this config to survive a reboot you need to do a:
Code:
service iptables save
|
|
|
10-19-2007, 12:36 PM
|
#9
|
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375
Original Poster
|
Hmm ok. Thanks, this machine is mainly for development purposes so it's not a major thing needing FTP up all time anyway ^^;;.
|
|
|
All times are GMT -5. The time now is 06:58 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|