On 2 Oct 2016 at 16:14, Ed Greshko wrote: From: Ed Greshko <ed.gres...@greshko.com> Subject: Re: Problem with firewalld/iptables and ftp access list? To: Fedora <users@lists.fedoraproject.org> Date sent: Sun, 2 Oct 2016 16:14:48 +0800 Send reply to: Community support for Fedora users <users@lists.fedoraproject.org>
> > > On 10/02/16 15:17, Ed Greshko wrote: > > > > On 10/02/16 14:51, Gordon Messmer wrote: > >> On 10/01/2016 04:37 PM, Michael D. Setzer II wrote: > >>> I can connect to ftp server but the listing fails if firewalld and > >>> iptables services > >>> are running. > >> > >> Does the problem go away if you "modprobe nf_conntrack_ftp" as root, and > >> leave firewalld > >> up? > > FWIW, /usr/lib/firewalld/services/ftp.xml suggests that enabling ftp via > > firewalld will > > also load nf_conntrack_ftp. > > > I have found that indeed nf_conntrack_ftp is "enabled" by selecting ftp in > firewalld. > However, that isn't dynamic like opening the ports. It is loaded on the next > reboot. > The modeprobe nf_conntrack_ftp doesn't output any messge or error? Not sure what it is suppose to output. I did a test from a machine to the server running the vsftp server and using ncftp or ncftpls, but in the past have also used ftp with the same results. With the line disabled everything seems to work, but without it seems to fail, but in one section changed passive mode, back it seemed to continue?? These machines are in the same 192.168.7.x network connected to the same switch? All are running Fedora 24, upgraded via dnf from 23 over the summer. With the 23, never had any issues. test-iptables results [msetzerii@d7t ~]$ ncftpls ftp://192.168.7.101/verne.png verne.png Test from other machine with line disabled. [root@d7t sysconfig]# ncftp 192.168.7.101 NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to 192.168.7.101... (vsFTPd 3.0.3) Logging in... Login successful. Logged in to 192.168.7.101. ncftp / > ls verne.png verne.png ncftp / > passive passive on ncftp / > ls verne.png verne.png ncftp / > passive passive off ncftp / > ls verne.png verne.png ncftp / > Reenabled the line in iptables and rebooted server machine [root@d7t sysconfig]# ncftp 192.168.7.101 NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to 192.168.7.101... (vsFTPd 3.0.3) Logging in... Login successful. Logged in to 192.168.7.101. ncftp / > ls verne.png connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. List failed. ncftp / > get verne.png connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. get verne.png: could not connect data socket. ncftp / > passive passive off ncftp / > ls verne.png verne.png ncftp / > get verne.png verne.png: 2.81 MB 50.15 MB/s ncftp / > ncftp / > passive passive on ncftp / > ls verne.png verne.png ncftp / > get verne.png get verne.png: local file appears to be the same as the remote file, download is not necessary. ncftp / > As a test, after a reboot with the line enabled, I had 19 machines attempt to ls the verne.png and all failed with connection error. I then commented out the line, and stopped, and then started iptables and all machines had no issues with listing? The iptables-save listing (line 138 with the ### is bolded) # Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016 *security :INPUT ACCEPT [41:2655] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [47:3628] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Sat Oct 1 16:13:53 2016 # Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016 *nat :PREROUTING ACCEPT [5:268] :INPUT ACCEPT [1:60] :OUTPUT ACCEPT [9:617] :POSTROUTING ACCEPT [9:617] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o enp2s0 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i enp2s0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Sat Oct 1 16:13:53 2016 # Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016 *mangle :PREROUTING ACCEPT [46:2903] :INPUT ACCEPT [46:2903] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [47:3628] :POSTROUTING ACCEPT [47:3628] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i enp2s0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Sat Oct 1 16:13:53 2016 # Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016 *raw :PREROUTING ACCEPT [46:2903] :OUTPUT ACCEPT [47:3628] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Sat Oct 1 16:13:53 2016 # Generated by iptables-save v1.4.21 on Sat Oct 1 16:13:53 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [47:3628] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP ### -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i enp2s0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o enp2s0 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i enp2s0 -g IN_public -A INPUT_ZONES -g IN_public -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 9001 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 20 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 21 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 5979 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 9001 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 5900:5979 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Sat Oct 1 16:13:53 2016 > -- > You're Welcome Zachary Quinto > _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
