On 2 Oct 2016 at 16:14, Ed Greshko wrote:
From: Ed Greshko <ed.greshko@greshko.com>
Subject: Re: Problem with firewalld/iptables and ftp access list?
To: Fedora <users@lists.fedoraproject.org>
Date sent: Sun, 2 Oct 2016 16:14:48 +0800
Send reply to: Community support for Fedora users
<users@lists.fedoraproject.org>
>
>
> On 10/02/16 15:17, Ed Greshko wrote:
> >
> > On 10/02/16 14:51, Gordon Messmer wrote:
> >> On 10/01/2016 04:37 PM, Michael D. Setzer II wrote:
> >>> I can connect to ftp server but the listing fails if firewalld and iptables services
> >>> are running.
> >>
> >> Does the problem go away if you "modprobe nf_conntrack_ftp" as root, and leave firewalld
> >> up?
> > FWIW, /usr/lib/firewalld/services/ftp.xml suggests that enabling ftp via firewalld will
> > also load nf_conntrack_ftp.
> >
> I have found that indeed nf_conntrack_ftp is "enabled" by selecting ftp in firewalld.
> However, that isn't dynamic like opening the ports. It is loaded on the next reboot.
>
The modeprobe nf_conntrack_ftp doesn't output any messge or error? Not
sure what it is suppose to output.
I did a test from a machine to the server running the vsftp server and using
ncftp or ncftpls, but in the past have also used ftp with the same results.
With the line disabled everything seems to work, but without it seems to fail,
but in one section changed passive mode, back it seemed to continue??
These machines are in the same 192.168.7.x network connected to the same
switch? All are running Fedora 24, upgraded via dnf from 23 over the
summer. With the 23, never had any issues.
test-iptables results
[msetzerii@d7t ~]$ ncftpls ftp://192.168.7.101/verne.png
verne.png
Test from other machine with line disabled.
[root@d7t sysconfig]# ncftp 192.168.7.101
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason
(http://www.NcFTP.com/contact/).
Connecting to 192.168.7.101...
(vsFTPd 3.0.3)
Logging in...
Login successful.
Logged in to 192.168.7.101.
ncftp / > ls verne.png
verne.png
ncftp / > passive
passive on
ncftp / > ls verne.png
verne.png
ncftp / > passive
passive off
ncftp / > ls verne.png
verne.png
ncftp / >
Reenabled the line in iptables and rebooted server machine
[root@d7t sysconfig]# ncftp 192.168.7.101
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason
(http://www.NcFTP.com/contact/).
Connecting to 192.168.7.101...
(vsFTPd 3.0.3)
Logging in...
Login successful.
Logged in to 192.168.7.101.
ncftp / > ls verne.png
connect failed: No route to host.
connect failed: No route to host.
connect failed: No route to host.
List failed.
ncftp / > get verne.png
connect failed: No route to host.
connect failed: No route to host.
connect failed: No route to host.
get verne.png: could not connect data socket.
ncftp / > passive
passive off
ncftp / > ls verne.png
verne.png
ncftp / > get verne.png
verne.png:
2.81 MB 50.15 MB/s
ncftp / >
ncftp / > passive
passive on
ncftp / > ls verne.png
verne.png
ncftp / > get verne.png
get verne.png: local file appears to be the same as the remote file, download
is not necessary.
ncftp / >
As a test, after a reboot with the line enabled, I had 19 machines
attempt to ls the verne.png and all failed with connection error.
I then commented out the line, and stopped, and then started iptables
and all machines had no issues with listing?
The iptables-save listing (line 138 with the ### is bolded)
# Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016
*security
:INPUT ACCEPT [41:2655]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [47:3628]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Sat Oct 1 16:13:53 2016
# Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016
*nat
:PREROUTING ACCEPT [5:268]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [9:617]
:POSTROUTING ACCEPT [9:617]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j
MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o enp2s0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i enp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sat Oct 1 16:13:53 2016
# Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016
*mangle
:PREROUTING ACCEPT [46:2903]
:INPUT ACCEPT [46:2903]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [47:3628]
:POSTROUTING ACCEPT [47:3628]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i enp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sat Oct 1 16:13:53 2016
# Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016
*raw
:PREROUTING ACCEPT [46:2903]
:OUTPUT ACCEPT [47:3628]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Sat Oct 1 16:13:53 2016
# Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [47:3628]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
### -A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i enp2s0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o enp2s0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i enp2s0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 9001 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p udp -m udp --dport 20 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p udp -m udp --dport 9000 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 9000 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p udp -m udp --dport 21 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5979 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p udp -m udp --dport 9001 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5900:5979 -m conntrack --ctstate
NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m
conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Oct 1 16:13:53 2016
> --
> You're Welcome Zachary Quinto
> _______________________________________________
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-leave@lists.fedoraproject.org