Re: Vsftpd vs. iptables firewall script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2018/05/23 8:24 AM, Nicolas Kovacs wrote:

> I'm currently setting up a local FTP server, to receive disk images
> sent with G4L (Ghost4Linux).
> 
> This server has been running Slackware Linux before, and the
> Vsftpd setup was relatively simple.
> 
> With CentOS things seem to be slightly different, so I'm currently 
> trying to work things out. For the moment, two things seem to be 
> creating problems, the simple iptables firewall and SELinux.
> 
> When I disable the firewall and SELinux, Vsftp works as expected.
> So far so good.
> 
> Now let's tackle this one dragon at a time. First the firewall.
> I'm starting with a very simple firewall script that looks somewhat
> like this. I'm linking to the template, I won't copy/paste the
> whole thing here.
> 
> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/fi
rewall/firewall-standalone.sh
>
>  Under Slackware, the iptables rule for a local FTP server looked
> like this:
> 
> modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN
> --dport 21 -j ACCEPT
> 
> I tried this, but to no avail. Can't connect to my server. I
> googled a bit, and I found out that there seem to be quite many
> different answers about the subject of "how do I configure my
> firewall for Vsftpd".

The ip_conntrack module is necessary, but not sufficient for dynamic
FTP connection tracking.

If you instead load ip_conntrack_ftp, it will auto-load ip_conntrack.
 (On a C7 server the modules are actually nf_conntrack_ftp and
nf_conntrack, but the ip_* names are aliases for them so either will
work.)

Oh, and to make the module configuration permanent, you can use either
the CentOS config file at /etc/sysconfig/iptables-config file (look
for the IPTABLES_MODULES line with associated comments) or on a
systemd box you have the option of /etc/modules-load.d/ (man
modules-load.d for details).

- ----
Nels Lindquist <nlindq@xxxxxxx>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlsIbDgACgkQh6z5POoOLgQh7wCcDcWGpYBqQfmY5OwkJs5LyJI0
zFYAoKY8CnphwueYraMKtU/n1L5xHpp7
=5sU3
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux