Troubleshoot issues with Iptables and VSFTPD settings

Troubleshoot issues with Iptables and VSFTPD settings Blog Category:

• Linux/centos/ubuntu

Firewall J # work solves Iptables and VSFTPD setup issues

Modify
Vi/etc/sysconfig/iptables-config
Iptables_modules= "Ip_conntrack_ftp"

Iptables-p INPUT DROP
Iptables-a input-p TCP--dport 20-j ACCEPT
Iptables-a input-m State--state established,related-j ACCEPT
Iptables-a input-i lo-j ACCEPT
Iptables-a input-p TCP--dport 21-j ACCEPT
Service Iptables Save
Service Iptables Restart



Attachment
How FTP works in two ways:
Port mode

FTP clients first dynamically select a port (typically more than 1024) and the FTP server TCP 21 port to establish a connection, through this channel to send commands, the client needs to receive data on this channel to send the port command. The port command contains what ports the client uses to receive data. When transmitting data, the server connects to the client's specified port via its TCP 20 port to send the data. The FTP server must establish a new connection with the client to transfer the data.
Passive mode
It is similar to standard mode when the control channel is established, but it is not the port command that is sent after the connection is established, but the PASV command. After the FTP server receives the PASV command, randomly opens a high-end port (with a port number greater than 1024) and notifies the client of the request to transmit data on this port, the client connects to this port on the FTP server, and then the FTP server transmits the data through this port, this time the FTP The server no longer needs to establish a new and client connection.
Many firewalls are not allowed to accept externally initiated connections when they are set up, so many FTP servers behind firewalls or intranet do not support PASV mode because clients cannot open the high-end port of the FTP server through the firewall, and many intranet clients cannot log on to the FTP server using port mode. Unable to work because TCP 20 from the server cannot establish a new connection to the internal network client

1. Install vsftpd software yum install vsftpd-y2. Turn on anonymous access and passive mode port vim/etc/vsftpd/vsftpd.confanonymous_enable=yes--turn on anonymous user access anon_upload_enable=yes--Anonymous user name can upload file anon_mkdir_write_enable=yes--Anonymous users can create files anon_other_write_enable=yes--Anonymous users can rename files pasv_enable=yes--turn on Passive mode pasv_min_port=30000--Passive mode min Port pasv_max_port=31000--Passive mode maximum port3. Loading the FTP module VIM/etc/modprobe.d/vsftpd.confalias ip_conntrack ip_conntrack_ftp ip_nat_ftp--Load FTP module VIM/etc/rc.local/sbin/modprobe Ip_conntract--Boot Load Module/sbin/modprobe ip_conntrack_ftp/sbin/modprobe ip_nat_ftp4. Port filtering Vim/etc/sysconfig/iptables-A input-p tcp-m multiport--dport -, +-M state--state new-j ACCEPT--turn on the 20,21 port-A input-p tcp-m state--state new-m TCP--dport +-j ACCEPT--Open 21 Active port-A Input-p TCP--dport30000:31000-j ACCEPT--turn on the passive port5. Login Test

There are two ways of FTP connection, one is port, that is, active connection, one is PASV, that is, passive mode. The specific difference between the two is not to say, there are many online information.

We use client PASV passive mode

First we configure the Linux system firewall iptables (firewall must be well-equipped, otherwise it will cause the connection does not escalate 227 Entering Passive Mode (182,92,150,235,145,19). Error)

1. Edit the/etc/sysconfig/iptables-config file and add the following two lines:

?

12	IPTABLES_MODULES="ip_conntrack_ftp"IPTABLES_MODULES="ip_nat_ftp"

Please pay attention to the location of the two lines of the relationship do not reverse. If you put "ip_nat_ftp" to the front, it is not loaded. If your FTP service is a crossing or a firewall (that is, the intranet mapping method must need this module). The above is equivalent to running the modprobe command to load the "ip_nat_ftp" and "ip_conntrack_ftp" modules before loading iptables.

2. Add the following two lines to the Iptables file:

?

1234	[[email protected] ~]# vi /etc/sysconfig/iptables-A -INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT-A -INPUT -p tcp -m state --state NEW -m tcp --sport 21 -j ACCEPT-A -INPUT -P tcp --dport 20 -j ACCEPT

3, check whether the Iptables file exists the following line (default is there), if not added;

?

1	-A -INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Now let's start configuring VSFTP

Installing VSFTPD

1. Execute the following command as Administrator (root) (Yum installs vsftp)

?

1	yum installvsftpd

2. Set Boot VSFTPD FTP service

?

1	chkconfig vsftpd on

3. Start VSFTPD Service

?

1	service vsftpd start

Manage VSFTPD Related commands:

Stop Vsftpd:service vsftpd Stop

Restart Vsftpd:service vsftpd Restart

Configuring the VSFTPD Server

The default configuration file is/etc/vsftpd/vsftpd.conf, which you can open with a text editor.

?

1	vi/etc/vsftpd/vsftpd.conf

Add FTP User

The following is the addition of user users, setting the root directory to/home/wwwroot/user, preventing this user from logging on to SSH, and restricting access to other directories.

1, modify the/etc/vsftpd/vsftpd.conf

Put the bottom three lines

?

123	#chroot_list_enable=YES# (default follows)#chroot_list_file=/etc/vsftpd.chroot_list

Switch

?

1234567

chroot_list_enable=YES# (default follows）chroot_list_file=/etc/vsftpd/chroot_list

Modify the following parameters

?

1234	anonymous_enable=NO //禁用匿名用户登陆  local_enable=YES //开启本地用户登陆 userlist_enable=NO userlist_deny=YES

Disable User Login directory userlist_file=/etc/vsftpd.user_list if the above userlist_deny=yes so/etc/vsftpd.user_list can't log in

3, add user Ftpuser, point to directory/home/wwwroot/ftpuser, prohibit login SSH permission.

?

1	useradd-d /home/wwwroot/user -g ftp -s /sbin/nologinuser

4. Set User password

?

1	passwdftpuser

5. Edit File Chroot_list: (to prohibit access to the parent directory of the user root directory)

?

1	vi/etc/vsftpd/chroot_list

1. Peter

3. John

6. Restart VSFTPD

?

1	service vsftpd restart

For detailed parameter settings please see http://vsftpd.beasts.org/vsftpd_conf.html

Troubleshoot issues with Iptables and VSFTPD settings