CentOS

Hello Centos peoples! =)

I got 2 problems.

If i trying to connect to my ftp server, he can't find the vsftpd server.
If i turn the iptables off he can connect.

This is on my conf:
[code]

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

#ssh
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#vsftpd
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT


COMMIT
[/code]
What is wrong with it? (ssh does work)

Now, my second problem:
[code]
Antwoord: 220 (vsFTPd 2.2.2)
Commando: USER wesley
Antwoord: 331 Please specify the password.
Commando: PASS *********
Antwoord: 500 OOPS: cannot change directory:/home/ftp/wesley
Fout: Fatale fout
Fout: Kan niet verbinden met server
[/code]

Just to try the rights:
drwxrwxrwx. 2 wesley ftp-users 4096 Mar 1 15:25 wesley

I dont know what the rights should be??

[code][root@centos ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[/code]

If you need more info, plz ask it =)
I hope you can help me.


Regards Mitchel

You have removed the rule from your iptables that did "-j RH-Firewall-1-INPUT" which jumped to that chain of rules. This means that the rules in the RH-Firewall-1-INPUT chain are no longer being used so you either need to reinstate the default jump rule or insert your rules in the INPUT chain instead. The rules you have at present in the RH-Firewall-1-INPUT are now orphaned and you should either remove them or reinstate the jump from the INPUT chain.

For the vsftpd error, you need to look in the logs /var/log/vsftpd.log, /var/log/messages and/or /var/log/secure for clues.

[quote]
TrevorH wrote:
You have removed the rule from your iptables that did "-j RH-Firewall-1-INPUT" which jumped to that chain of rules. This means that the rules in the RH-Firewall-1-INPUT chain are no longer being used so you either need to reinstate the default jump rule or insert your rules in the INPUT chain instead. The rules you have at present in the RH-Firewall-1-INPUT are now orphaned and you should either remove them or reinstate the jump from the INPUT chain.

For the vsftpd error, you need to look in the logs /var/log/vsftpd.log, /var/log/messages and/or /var/log/secure for clues.
[/quote]


/var/log/vsftpd.log
[code]empty[/code]


/var/log/messages
[code]
nothing happens if I trying to login
[/code]


/var/log/secure
[code]no problems[/code]



What to do now? o.O

Have you fixed the firewall rule set?

[quote]
pschaff wrote:
Have you fixed the firewall rule set?[/quote]


yes i did.

This is the result:
[code]
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT
[/code]

Great, so you now have port 21 open. Did you also load the ip_conntrack_ftp module with modprobe? Since you don't also have port 20 open (which is also needed for ftp) you will need to do this - especially if you need to use passive ftp.

[quote]
TrevorH wrote:
Great, so you now have port 21 open. Did you also load the ip_conntrack_ftp module with modprobe? Since you don't also have port 20 open (which is also needed for ftp) you will need to do this - especially if you need to use passive ftp.[/quote]

No i diddn't load ip_conntrack_ftp with modle modprobe.
After i fixed the iptables the vsftpd works verry wel, so is it really necessary?

Now I still get the next error:
[code]Antwoord: 220 (vsFTPd 2.2.2)
Commando: USER wesley
Antwoord: 331 Please specify the password.
Commando: PASS *********
Antwoord: 500 OOPS: cannot change directory:/home/ftp/wesley
Fout: Fatale fout
Fout: Kan niet verbinden met server[/code]

In my experience with ftp, yes, ip_conntrack_ftp is essential! That doesn't mean that you might not be able to make it work without but those are the two things that I've used to make it work and missing one of them breaks it - 1) open port 21 and 2) modprobe ip_conntrack_ftp.

However, I do not guarantee that this will fix your current problem as that looks more like a permissions problem. To fix that you'll need to find errors in your log files so I suggest that you go back to those now and see if there's anything logged.

[quote]
TrevorH wrote:
In my experience with ftp, yes, ip_conntrack_ftp is essential! That doesn't mean that you might not be able to make it work without but those are the two things that I've used to make it work and missing one of them breaks it - 1) open port 21 and 2) modprobe ip_conntrack_ftp.

However, I do not guarantee that this will fix your current problem as that looks more like a permissions problem. To fix that you'll need to find errors in your log files so I suggest that you go back to those now and see if there's anything logged.[/quote]

Logs does not say anything helpfully :(

Look harder or possibly try to find a way to increase the log level. Whatever is going wrong will be logging somewhere.