January 7, 2014

Configure iptables for FTP Server, vsftp

Server Installation

$ yum install vsftpd

$ service vsftpd start

Now the ftp server is ready to be used. Lets create a simple text file in the root of the ftp server.

$ echo "Test" > /var/ftp/pub/test.txt

Configure iptables

Existing iptables rules.

$ iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
2    12592   18M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     tcp  --  *      *       192.168.122.0/24     0.0.0.0/0           state NEW tcp dpt:22 
5        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

First we will add a LOG operation just before the last line in INPUT of iptables that rejects the incoming traffic.

$ iptables -I INPUT 5 -j LOG

Then we try to list the root of the ftp server. Which will fail, because we have not opened the firewall ftp port and which you will see in the log file.

$ tail -f /var/log/messages
...
Jan  7 21:13:59 virtual1 kernel: IN=eth0 OUT= MAC=52:54:00:51:e4:07:52:54:00:00:99:4a:08:00 SRC=192.168.122.1 DST=192.168.122.196 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53779 DF PROTO=TCP SPT=38835 DPT=21 WINDOW=14600 RES=0x00 SYN URGP=0

Now lets open the ftp port in the firewall. We will insert the rule just before the log rule.

$ iptables -I INPUT 5 -m state --state NEW -p tcp --dport 21 -j ACCEPT

Now lets try to list the root again, which will fail. Now look at the log.

$ tail -f /var/log/messages
...
Jan  7 21:21:49 virtual1 kernel: IN=eth0 OUT= MAC=52:54:00:51:e4:07:52:54:00:00:99:4a:08:00 SRC=192.168.122.1 DST=192.168.122.196 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18564 DF PROTO=TCP SPT=39862 DPT=29736 WINDOW=14600 RES=0x00 SYN URGP=0

You might now wonder why ftp is trying to open port 29736 and the reason is that vsftp is using passive ports to communicate. To fix this we need to add to add ftp filter rules to iptables. The relevant filter rules are found in the kernel module filter directory.

$ ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/*ftp*
/lib/modules/2.6.32-431.el6.x86_64/kernel/net/ipv4/netfilter/nf_nat_ftp.ko
/lib/modules/2.6.32-431.el6.x86_64/kernel/net/ipv4/netfilter/nf_nat_tftp.ko

Now add those two filters two iptables

$ vi /etc/sysconfig/iptables-config

Now save your iptables new rules and restart iptables.

$ service iptables save && service iptables restart

And finally try to list the content of the root in the server again and this should work.

No comments: