Re: Problem with firewalld/iptables and ftp access list?

["Michael D. Setzer II" <mikes@xxxxxxxxxxxxxxxx>]

Cleaned up the firewall-config extra port options, and tried it on another machine as well. Did note that after a reboot, it shows nf_conntract_ftp as being loaded, but not being used by anything. If I stop firewalld and start iptables it then shows that it is being used??

firewall-config

services checked?

dhcpv6-client

ftp

mdns

ssh

vnc-server

ports

5979 tcp (used for vnc)

9000 tcp (used by udpcast)

9000 udp

9001 tcp

9001 udp

lsmod | grep nf

nf_nat_masquerade_ipv4    16384  1 ipt_MASQUERADE

nf_conntrack_ftp       16384  0

nf_reject_ipv6         16384  1 ip6t_REJECT

nf_conntrack_ipv6      20480  15

nf_defrag_ipv6         36864  1 nf_conntrack_ipv6

nf_nat_ipv6            16384  1 ip6table_nat

nf_conntrack_ipv4      16384  15

nf_defrag_ipv4         16384  1 nf_conntrack_ipv4

nf_nat_ipv4            16384  1 iptable_nat

nf_nat                 28672  3 nf_nat_ipv4,nf_nat_ipv6,nf_nat_masquerade_ipv4

nf_conntrack          102400  8 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6

nfnetlink              16384  1 ip_set

binfmt_misc            20480  1

· firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

   Active: active (running) since Mon 2016-10-03 16:46:13 ChST; 3min 45s ago

     Docs: man:firewalld(1)

 Main PID: 5198 (firewalld)

    Tasks: 3 (limit: 512)

   CGroup: /system.slice/firewalld.service

           └─5198 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed:

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed:

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed:

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT' failed:

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT' failed:

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' failed:

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' failed:

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT' failed:

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' failed:

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed:

· iptables.service - IPv4 firewall with iptables

   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)

   Active: inactive (dead) since Mon 2016-10-03 16:40:51 ChST; 9min ago

  Process: 4717 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)

  Process: 3640 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)

 Main PID: 3640 (code=exited, status=0/SUCCESS)

Oct 02 21:33:20 d7aa.guamcc.net systemd[1]: Starting IPv4 firewall with iptables...

Oct 02 21:33:20 d7aa.guamcc.net iptables.init[3640]: iptables: Applying firewall rules: [  OK  ]

Oct 02 21:33:20 d7aa.guamcc.net iptables.init[3640]: iptables: Loading additional modules: ip_nat_ftp [  OK  ]

Oct 02 21:33:20 d7aa.guamcc.net systemd[1]: Started IPv4 firewall with iptables.

Oct 03 16:40:50 d7aa.guamcc.net systemd[1]: Stopping IPv4 firewall with iptables...

Oct 03 16:40:51 d7aa.guamcc.net iptables.init[4717]: iptables: Setting chains to policy ACCEPT: security mangle raw nat filter [FAILED]

Oct 03 16:40:51 d7aa.guamcc.net iptables.init[4717]: iptables: Flushing firewall rules: [  OK  ]

Oct 03 16:40:51 d7aa.guamcc.net iptables.init[4717]: iptables: Unloading modules: [  OK  ]

Oct 03 16:40:51 d7aa.guamcc.net systemd[1]: Stopped IPv4 firewall with iptables.

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx