Re: Question on Internet access of vsftp server

• Previous message: Julian Opificius: "switching WMs, and request for recommendations"
• In reply to: Bob Smith: "Re: Question on Internet access of vsftp server"
• Next in thread: Pete Nesbitt: "Re: Question on Internet access of vsftp server"
• Reply: Pete Nesbitt: "Re: Question on Internet access of vsftp server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: redhat-list@redhat.com
Date: Thu, 18 Dec 2003 20:45:52 -0800

On December 18, 2003 08:07 pm, Bob Smith wrote:
> Pete,
>
> I've replaced the rpm, and restarted the server, and I'm still locked
> out. So I want to try the addition of the line in iptables. However,
> I'm not sure of what $EXT_IF means. I'm assuming that $FTP_PORTS are
> ports 21 and 20, and that they go in the user rules I have defined. Is
> EXT_IF the external interface, and is that value something like eth0 or lo?
>
> Also, would a reboot help on this?
>
> Thanks,
>
> -Bob
>
> Pete Nesbitt wrote:
> >On December 18, 2003 06:56 am, Bob Smith wrote:
> >
> >
> >That sounds like you've found the cause and solution. If not, (or anyway)
> > you should check your logs, and also add a LOG entry to the firewall DENY
> > or REJECT line to see whats happening at the firewall.
> >
> >Depending on your exact rules, add something like this, just blow your FTP
> >ACCEPT Rules, and ABOVE the RETURN line in a user chain, as in:
> >ftp accept rules...
> >$IPTABLES -A FTP_CHAIN -p tcp -m state --state NEW -i $EXT_IF \
> > --dport $FTP_PORTS -j LOG --log-prefix "NetF FTP Failure: "
> >... RETURN if in user chain
> >...then the drop line later in rules

Bob,
You should probably have a quick look at tcpwrappers (/etc/hosts.allow &
hosts.deny) and /etc/init.d/vsftp to make sure it looks sane.

I like to use variables in scripts, even for things that should be static, so
at the top of my iptables I define things like EXT_IF which is the external
interface on the firewall, in this case, yes it is likely your eth0. I don't
actually have ftp (use sftp or scp via ssh) but I just stuck that in to
represent a variable that you may have predefined.

 So if you are not getting to a login, then you are failing on port 21, If you
are running iptables on the same machine, you are not using a custom chain
and the internet is accessed via eth0, then the log line would look like:

$IPTABLES -A INPUT -p tcp -m state --state NEW -i $EXT_IF \
  --dport 21 -j LOG --log-prefix "NetF FTP Failure: "

(if you fail after successful login, change the "20 to a "20:21" for a port
range)

If you put it following your rules that allow ftp, anything that targets that
port but fails will be logged with the quoted string as something to grep.
You may even want to put it above the allow ftp rules incase it is PAM or
TCPwrappers causing a problem further along the line. tcpdump may provide
some info, if you know the ip or host of a test system you are using you can
look at traffic with:
tcpdump host <ip or host name>

For testing, maybe wrap the rules with logs:
$IPTABLES -A INPUT -p tcp -m state --state NEW -i $EXT_IF \
  --dport 21 -j LOG --log-prefix "NetF FTP Attempt: "
...your ftp access allow rules...
$IPTABLES -A INPUT -p tcp -m state --state NEW -i $EXT_IF \
  --dport 21 -j LOG --log-prefix "NetF FTP Failure: "

oh, if you are using the gui tool to manage your firewall, these instructions
are probably wrong as the format, which I am not too familiar with, is
different.

-- 
Pete Nesbitt, rhce
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

• Previous message: Julian Opificius: "switching WMs, and request for recommendations"
• In reply to: Bob Smith: "Re: Question on Internet access of vsftp server"
• Next in thread: Pete Nesbitt: "Re: Question on Internet access of vsftp server"
• Reply: Pete Nesbitt: "Re: Question on Internet access of vsftp server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]