Jump to content

[FC4/IpTables] Configuration de vsFTPd


Recommended Posts

Bonjour,

j'ai installé et configuré sur mon serveur Fedora Core 4 le serveur FTP vsFTPd.

Si je désactive le pare-feu, je peux me connecter sans problème à celui-ci, mais dès que je l'active, je n'arrive plus à me connecter et le serveur me renvoie une erreur 530 permission denied si je me connecte ainsi : ftp://ip_serveur/

et une erreur 425 failed to establish connexion ici : ftp://user@ip_serveur.

Je rappelle que si le pare-feu est désactivé, je n'ai aucun problème!

Pour info, voici mes règles iptables :

# Generated by iptables-save v1.3.0 on Fri Jul 7 12:49:18 2006
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [4:720]
COMMIT
# Completed on Fri Jul 7 12:49:18 2006
# Generated by iptables-save v1.3.0 on Fri Jul 7 12:49:18 2006
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [40:5925]
:OUTPUT ACCEPT [44:37728]
:POSTROUTING ACCEPT [44:37728]
:PREROUTING ACCEPT [40:5925]
COMMIT
# Completed on Fri Jul 7 12:49:18 2006
# Generated by iptables-save v1.3.0 on Fri Jul 7 12:49:18 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9331 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9441 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9442 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9600 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Fri Jul 7 12:49:18 2006

et mon fichier vsftpd.conf (même si je n'ai pas l'impression que çà vienne de là...):

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO

listen_port=21

#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=NO
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022

# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES

# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#

# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to blah FTP service.
#

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES

Voilà, si vous voyez quelquechose qui vous choque ou un début de piste, merci de me sortir de ce cul-de-sac.

Nicolas

Link to comment
Share on other sites

Merci de ta réponse tuXXX, mais j'obtiens le même problème en mettant ceci :

# Completed on Fri Jul  7 12:49:18 2006
# Generated by iptables-save v1.3.0 on Fri Jul  7 12:49:18 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -o eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state --sport 21 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 21 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 20 --state RELATED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state --sport 20 --state RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9331 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9441 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9442 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9600 -j ACCEPT
-A INPUT -j DROP
COMMIT

As-tu une autre idée, ou alors je me suis trompé dans la syntaxe?

nico

Link to comment
Share on other sites

Salut,

Mon serveur n'est pas derrière un routeur (pas que je sache, mais c'est une dedibox, alors je sais pas trop...),

et mon poste client se trouve su un vpn derrière une freebox.

Chose étrange, avec la configuration que j'ai cité ci-dessus, si j'essaye de me connecter au ftp via mon pc qui a comme adresse 192.168.0.3 (sur mon vpn), j'ai le problème que je vous ai exposé plus haut.

Mais si je me connecte à partir de mon pda qui est relié par wifi à mon réseau (192.168.0.4), tout fonctionne correctement.

Mon but était d'arriver à çà : acces à mon ftp à partir du pda.

Mais j'avoue ne pas comprendre pourquoi je ne peux pas me connecter d'un poste classique alors qu'il est sur le même réseau que mon pda... bizarre.

Est-ce que quelqu'un a une idée du pourquoi du cmment ?

Nico

Link to comment
Share on other sites

Bon, finalement j'ai modifié mon fichier iptable comme suit, et j'ai accès à mon ftp à partir de mon pda et de mon fixe...

# Generated by iptables-save v1.3.0 on Fri Jul  7 12:49:18 2006
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [4:720]
COMMIT
# Completed on Fri Jul  7 12:49:18 2006
# Generated by iptables-save v1.3.0 on Fri Jul  7 12:49:18 2006
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [40:5925]
:OUTPUT ACCEPT [44:37728]
:POSTROUTING ACCEPT [44:37728]
:PREROUTING ACCEPT [40:5925]
COMMIT
# Completed on Fri Jul  7 12:49:18 2006
# Generated by iptables-save v1.3.0 on Fri Jul  7 12:49:18 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -o eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9331 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9441 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9442 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9600 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Fri Jul  7 12:49:18 2006

Je suis maintenant parti pour l'optimiser... Vous voyez quelquechose qui vous saute aux yeux?

Merci

Nico

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...