[SOLVED] IPTables blocking access to VSFTP Server

JockVSJock · 07-03-2015, 11:34 AM

This is in my home RHEL v6.5 lab. I'm trying to setup a RHEL rpm local repo that I can server up RPMs via vsftp.

If I leave IPTables up and running on the server, I cannot reach the server. If I flush IPTables on the server, I can reach it no problem and log in as well and do what I need to do.

I have the following two machines:

-server1.example.com 192.168.122.50/24
-ApacheFTP.example.com 192.168.122.254/24

This is the current IPTables settings on ApacheFTP.example.com server:

Code:

cat iptables_20150703
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [30:2308]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A INPUT -p udp -m state --state -NEW -m udp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state -NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state -NEW -m tcp --dport 21 -j ACCEPT 
-A INPUT -p udp -m state --state -NEW -m udp --dport 21 -j ACCEPT 
-A FORWARD -j REJECT -reject-with icmp-host-prohibited 
-A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT 
-A OUTPUT -p udp -m udp --sport 20 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 21 -j ACCEPT 
-A OUTPUT -p udp -m udp --sport 21 -j ACCEPT

I can ping and traceroute between the two with no problems.

If I run nc from the server

Code:

nc -z -v localhost 20 

nc:  connect to localhost port 20 (tcp) failed:  Connection refused 
nc:  connect to localhost port 20 (tcp) failed:  Connection refused 

nc -z -v localhost 21 

nc:  connect to localhost port 21 (tcp) failed:  Connection refused 
Connection to localhost 21 port [tcp/ftp] succeeded!

I have both ports open on IPTables, so I don't understand why I don't get succeeded for port 20 and then for port 21, it fails first and succeeds.

I've also noticed that during the bootup, I'm getting this error message

Code:

Starting vsftpd for vsftpd-192.168.122.254:  500 OOPS:  vsftpd: not configured for standalone, must be started from inetd

So I'm not sure where to start troubleshooting this.

paul2015 · 07-03-2015, 12:35 PM

I had problem like that. is your ftp with tls configrured? in your place i would try to connect with iptables stopped. if it is the iptables issue here is how i configured ftp and iptables

listen_address=192.168.1.33
listen_port=22
listen=YES
listen_ipv6=NO
tcp_wrappers=YES
idle_session_timeout=600
data_connection_timeout=120
pasv_enable=YES
pasv_address=192.168.1.33
pasv_promiscuous=NO
pasv_min_port=12000
pasv_max_port=13000

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 12000:13000 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 12000:13000 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

for truobleshooting i would remove this rules for a while

A FORWARD -j REJECT -reject-with icmp-host-prohibited
A INPUT -j REJECT --reject-with icmp-host-prohibited

is selinux enabled?

semanage port -a -t ftp_port_t -p tcp 22
setsebool -P ftp_home_dir on
setsebool -P ftpd_anon_write on

JockVSJock · 07-03-2015, 02:00 PM

Quote:

Originally Posted by paul2015

I had problem like that. is your ftp with tls configrured? in your place i would try to connect with iptables stopped. if it is the iptables issue here is how i configured ftp and iptables

Just for the record, this is VSFTP not plain old FTP. I would think that the there is a big difference in config files.

I don't recognize any of the settings that you have listed that are under /etc/vsftpd.

paul2015 · 07-03-2015, 02:03 PM

ok but it works. I just try to help.

vincix · 07-04-2015, 09:28 AM

Have you loaded the conntrack ftp module in /etc/sysconfig/iptables-config?

IPTABLES_MODULES="ip_conntrack_ftp"

Normally, without this modules, with stateful rules, iptables won't be able to switch the port accordingly from the data port to the command port (21 to 20). Now I'm guessing you already know this, but just making sure.

JockVSJock · 07-05-2015, 08:49 PM

Quote:

Originally Posted by vincix

Have you loaded the conntrack ftp module in /etc/sysconfig/iptables-config?

IPTABLES_MODULES="ip_conntrack_ftp"

Normally, without this modules, with stateful rules, iptables won't be able to switch the port accordingly from the data port to the command port (21 to 20). Now I'm guessing you already know this, but just making sure.

Yes sir, under /etc/sysconfig/iptables-config I've added the end of the file the following:

Code:

IPTABLES_MODULES="ip_conntrack_ftp"

Now just to confirm, the config file under /etc/vsftpd/vsftpd.conf is setup with the following:

Code:

connect_from_port_20=YES

Now on IPTables, I have rules open for 20 and 21, however netcat continues to fail for port 20, however it works for port 21. I don't understand it, especially if it is set in the config file. I've never worked with FTP before in a production environment. This is in a lab.

JockVSJock · 07-05-2015, 08:56 PM

Quote:

Originally Posted by paul2015

ok but it works. I just try to help.

I appreciate the input, however my config file looks very different then what you are posting. My config for VSFTPD is under /etc/vsftpd/vsftpd.conf.

JockVSJock · 07-05-2015, 09:39 PM

Quote:

Originally Posted by paul2015

ok but it works. I just try to help.

Cool, I got it to work with the IPTables recommendations that you made.

Now I need to understand the why behind it.

I don't understand why I deleted the following: reject-with icmp-host-prohibited

And adding port number range of 12000:13000

BTW, selinux is set to enabled however current mode is set to permissive.

vincix · 07-06-2015, 02:33 AM

As you might be aware, ftp works in two modes, passive and active. I've read somewhere that passive mode occurs most frequently. And this is the case here. Passive mode means that, after the client makes a request to port 21, the server answers to the client's port, which is a random high port (this is obvious). But now, the client itself again initiates the data connection (the server is 'passive') to the port previously specified by the server, which is a port higher than 1023.

So in passive mode, the file transfer in ftp works between two high ports, and thus 20 is actually not used, and port 21 is only used temporarily to establish the parametres.

Now, in active mode, port 20 is indeed used, and after the client's initial request, the server switches to port 20 and initiates the data transfer.

To be honest, I still haven't understood fully why passive mode is more often used. The explanation seems to be the firewall itself, although in your case you're obviously allowing port 20. You might be able to force vsftpd to use active mode, but I am not sure there are any advantages to it. And another thing that I don't really get is why that exact range of ports (12000-13000) allowed for the ftp connection. Might it be that the vsftpd server was clever enough to find a try various ports until it found a free port to listen to?

I'm really interested in the problem myself too.

JockVSJock · 07-06-2015, 07:48 AM

Quote:

Originally Posted by vincix

To be honest, I still haven't understood fully why passive mode is more often used. The explanation seems to be the firewall itself, although in your case you're obviously allowing port 20. You might be able to force vsftpd to use active mode, but I am not sure there are any advantages to it. And another thing that I don't really get is why that exact range of ports (12000-13000) allowed for the ftp connection. Might it be that the vsftpd server was clever enough to find a try various ports until it found a free port to listen to?

I'm really interested in the problem myself too.

I'm currently at work, so when I get home I can check the config file and see how it is setup.

I also found a website where someone really detailed the inner workings of VSFTPD and check that webpage again. If I find something, I can repost it here.

vincix · 07-08-2015, 02:04 PM

Quote:

Originally Posted by JockVSJock

I'm currently at work, so when I get home I can check the config file and see how it is setup.

I also found a website where someone really detailed the inner workings of VSFTPD and check that webpage again. If I find something, I can repost it here.

If you connect with ftp (linux ftp client, I mean), one of the first messages you receive is the mode in which the ftp works. Usually you don't need to set the server in any particular way, it will do it automatically.

JockVSJock · 07-11-2015, 03:32 PM

Quote:

Originally Posted by vincix

If you connect with ftp (linux ftp client, I mean), one of the first messages you receive is the mode in which the ftp works. Usually you don't need to set the server in any particular way, it will do it automatically.

In my lab, I'm using the following client:

Code:

rpm -qa | grep ftp 
ftp-0.17-52.el6.x86_64

When I log in via ftp to the VSFTPS Server, I'm not seeing anything about active/passive.

Code:

ftp 192.168.122.254
Connected to 192.168.122.254 (192.168.122.254). 
220- 
220-"NOTICE TO USERS - use of this system constitutes consent to security monitoring and testing.  
220-All activity is logged with your host name and IP address. 
220- 
220-YOU HAVE BEEN WARNED."
220
NAME (192.168.122.154:JockVSJock): ftp_tester
331 Please specify the password. 
Password: 
230 Login successful. 
Remote system type is UNIX. 
Using binary mode to transfer files. 
ftp>

As far as active/passive connection, I've searched up and down in the config file under /etc/vsftpd/vsftpd.conf and I don't see any indication of this.