Re: Question on Internet access of vsftp server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On December 18, 2003 08:07 pm, Bob Smith wrote:
> Pete,
>
> I've replaced the rpm, and restarted the server, and I'm still locked
> out.  So I want to try the addition of the line in iptables.  However,
> I'm not sure of what $EXT_IF means.  I'm assuming that $FTP_PORTS are
> ports 21 and 20, and that they go in the user rules I have defined.  Is
> EXT_IF the external interface, and is that value something like eth0 or lo?
>
> Also, would a reboot help on this?
>
> Thanks,
>
> -Bob
>
> Pete Nesbitt wrote:
> >On December 18, 2003 06:56 am, Bob Smith wrote:
> >
> >
> >That sounds like you've found the cause and solution. If not, (or anyway)
> > you should check your logs, and also add a LOG entry to the firewall DENY
> > or REJECT line to see whats happening at the firewall.
> >
> >Depending on your exact rules, add something like this, just blow your FTP
> >ACCEPT Rules, and ABOVE the RETURN line  in a user chain, as in:
> >ftp accept rules...
> >$IPTABLES -A FTP_CHAIN -p tcp -m state --state NEW -i $EXT_IF \
> >  --dport $FTP_PORTS -j LOG --log-prefix "NetF FTP Failure: "
> >... RETURN if in user chain
> >...then the drop line later in rules

Bob,
You should probably have a quick look at tcpwrappers (/etc/hosts.allow & 
hosts.deny) and /etc/init.d/vsftp to make sure it looks sane.

I like to use variables in scripts, even for things that should be static, so 
at the top of my iptables I define things like EXT_IF which is the external 
interface on the firewall, in this case, yes it is likely your eth0. I don't 
actually have ftp (use sftp or scp via ssh) but I just stuck that in to 
represent a variable that you may have predefined.

 So if you are not getting to a login, then you are failing on port 21, If you 
are running iptables on the same machine, you are not using a custom chain 
and the internet is accessed via eth0, then the log line would look like:

$IPTABLES -A INPUT -p tcp -m state --state NEW -i $EXT_IF \
  --dport 21 -j LOG --log-prefix "NetF FTP Failure: "

(if you fail after successful login, change the "20 to a "20:21" for a port 
range)

If you put it following your rules that allow ftp, anything that targets that 
port but fails will be logged with the quoted string as something to grep.
You may even want to put it above the allow ftp rules incase it is PAM or 
TCPwrappers causing a problem further along the line. tcpdump may provide 
some info, if you know the ip or host of a test system you are using you can 
look at traffic with:
tcpdump host <ip or host name>

For testing, maybe wrap the rules with logs:
$IPTABLES -A INPUT -p tcp -m state --state NEW -i $EXT_IF \
  --dport 21 -j LOG --log-prefix "NetF FTP Attempt: "
...your ftp access allow rules...
$IPTABLES -A INPUT -p tcp -m state --state NEW -i $EXT_IF \
  --dport 21 -j LOG --log-prefix "NetF FTP Failure: "

oh, if you are using the gui tool to manage your firewall, these instructions 
are probably wrong as the format, which I am not too familiar with, is 
different.
-- 
Pete Nesbitt, rhce


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux