iptables-connection-tracking-vsftpd
COMMON ERRORS IN VSFTPD
FIRST - FIREWALLS AREN'T ALLOWING PORTS 20 AND 21 (FTP) THROUGH SECOND - PASSIVE PORTS AREN'T ALLOWED...
BETTER YET, netbios was on by default, so we add the FTP Passive modules... if we use the system-config-securitylevel-tui built into CENTOS it makes the following:
DEFAULT /etc/sysconfig/iptables-config IPTABLES_MODULES="ip_conntrack_netbios_ns"
NEW /etc/sysconfig/iptables-config IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp" IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp ip_conntrack_netbios_ns"
?
Loading necessary modules (MAY NOT BE NECESSARY)
/sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp
Opening ports 50021 50022 50080
${IPTABLES} -A INPUT -i eth0 -p tcp --dport 50021 -m state --state NEW,ESTABLISHED -j ACCEPT ${IPTABLES} -A INPUT -i eth0 -p tcp --dport 50022 -m state --state NEW,ESTABLISHED -j ACCEPT ${IPTABLES} -A INPUT -i eth0 -p tcp --dport 50080 -m state --state NEW,ESTABLISHED -j ACCEPT
Setting rules for connection tracking
${IPTABLES} -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT ${IPTABLES} -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
You are using a different port, and ip_conntack_ftp does not know that. It still monitors port 21, blissfully unaware of anything else around it.
Use the following to tell the helper app an which port your ftp connection will take place (the module still needs the original ftp port)
modprobe ip_conntrack_ftp ports=21,50021
THIRD secure_chroot_dir:/var/run/vsftpd doesn't exist
FOURTH 500: OOPS: cannot change directory:/home/andmin SELINUX must be set to PERMISSIVE (/etc/sysconfig/selinux SELINUX=permissive)
FIFTH IPTABLES and
service iptables start
connrate (patch?)
This includes a "--connrate min:max" and matches when a connection (managed by the conntrack module) is within the range. An optional "!" can appear before the rate to invert the sense of the match. You could, for example, start dropping packets if a particular connection is above a certain rate, for example.
time (patch)
Match based on a time of day and/or day of week. At one point Evelyn wanted me to set up a block against news and blog sites for her during business hours, to prevent the temptation. "iptables -I OUTPUT -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -d news.google.com -j REJECT".
Could also be used to shut down a customer on a particular date: "iptables -I FORWARD -s 10.1.2.3 -m time --datestart 2005:08:29:00:00:00 -j REJECT", shuts down a customer at midnight on August 29, 2005.