Posts Tagged ‘CentOS’

Passive Mode FTP with iptables

January 21st, 2014 No Comments »

There’s lots of advice on the net about how to setup a server with iptables to allow passive mode FTP. Below is the approach that we’ve found to be most effective.

Start by configuring your FTP daemon to use a fixed range of ports. We use 41361 to 65534 which is the IANA registered ephemeral port range. The exact config depends on what FTP software you’re using:

vsftpd

Edit /etc/vsftpd/vsftpd.conf and add the following lines:

view source
print?
1pasv_min_port=49152
2pasv_max_port=65534

proftpd

Edit /etc/proftpd.conf and add to the Global section:

view source
print?
1<global>
2......
3PassivePorts 49152 65534
4......
5</global>

Now restart your FTP service so the changes take effect.

Next you’ll need to configure the ip_conntrack_ftp iptables module to load. On Redhat/CentOS just edit /etc/sysconfig/iptables-config and add “ip_conntrack_ftp” to the IPTABLES_MODULES like this:

view source
print?
1IPTABLES_MODULES="ip_conntrack_ftp"

Next edit /etc/sysconfig/iptables and add a rule to allow TCP port 21.
The new line is marked in red:

view source
print?
01*filter
02:INPUT ACCEPT [0:0]
03:FORWARD ACCEPT [0:0]
04:OUTPUT ACCEPT [0:0]
05-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
06-A INPUT -p icmp -j ACCEPT
07-A INPUT -i lo -j ACCEPT
08-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
09-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
10-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
11-A INPUT -j REJECT --reject-with icmp-host-prohibited
12-A FORWARD -j REJECT --reject-with icmp-host-prohibited
13COMMIT

Now restart the iptables service:

view source
print?
1/sbin/service iptables restart

You can verify that the correct port range has been registered with lsmod like this:

view source
print?
1lsmod | grep conntrack_ftp

and you’ll get something like this:

view source
print?
1nf_conntrack_ftp       12913  0
2nf_conntrack           79645  4 nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state

And that’s all it takes to get passive mode ftp working behind iptables.

P.S: If your server is behind a physical firewall and you are behind NAT, then you’ll probable need to load the “ip_nat_ftp” iptables module.


FTP automation on Linux

November 8th, 2012 No Comments »

 

Ever wanted FTP backups and automation for keeping backups of important file on off-peak time. I always love automation, so machines can do things automatically and help humans 🙂 Read the rest of this entry »


Mount point busy or already mounted error – CentOS

October 15th, 2012 2 Comments »

 

Recently when my servers HDD dead, data center installed a new HDD keeping orginal HDD as secondary so that i can copy data back to new HDD.

I tried to mount the HDD normal way, but got the error:-

view source
print?
01[root@server78 ~]# fdisk -l /dev/hda
02  
03 Disk /dev/hda: 160.0 GB, 160041885696 bytes
04 255 heads, 63 sectors/track, 19457 cylinders
05 Units = cylinders of 16065 * 512 = 8225280 bytes
06  
07    Device Boot      Start         End      Blocks   Id  System
08 /dev/hda1   *           1          13      104391   83  Linux
09 /dev/hda2              14       19457   156183930   8e  Linux LVM
10  
11 [root@server78 ~]# mount /dev/hda2 /tmp/mnt
12 mount: /dev/hda2 already mounted or /tmp/mnt busy

The old drive is lvm. you were trying to mount it like it was an ext3 filesystem. I have listed what i did below so you can see it.

Now we need to check the old disk is using LVM ? type:-

view source
print?
1[root@server78 ~]# pvs
2PV         VG         Fmt  Attr PSize   PFree
3/dev/hda2  VolGroup01 lvm2 a-   148.94G 32.00M
4/dev/hdb2  VolGroup00 lvm2 a-   114.94G 96.00M

So now we know our second hard disk VolumeGroup name is “VolGroup00”, now we can mount it like:-

view source
print?
1[root@server78 ~]# mount /dev/VolGroup01/LogVol00 /mnt

That’s it, you can see the folders in /mnt/, Edit/copy as you like.


no “setup” command – CentOS

October 12th, 2012 7 Comments »

 

I usually use “setup” to do the firewall setup for permissive or not and setting of SELINUX, etc….

But on a minimal install you don’t have access to setup command, which is my favorite

view source
print?
1[root@tel ~]# setup
2-bash: setup: command not found

So how to install it in minimal install ?

view source
print?
1yum –y install setuptool
2yum –y install system-config-network*
3yum -y install system-config-firewall*
4yum –y install system-config-securitylevel-tui
5yum –y install system-config-keyboard

(thanks JoVeN for spell mistake)

For system services utility install ntsysv (as Perico suggested in the user comments)

view source
print?
1yum -y install ntsysv

setup-CentOS

That’s it….!! Enjoy


How To Download a RPM Package Using yum Command Without Installing On Linux

September 13th, 2012 No Comments »

If you ever wanted to download the rpm package instead of installing it with yum ! you can do that with ease, that is useful when you want to keep backup of some RPMs or want to see what’s inside RPM etc.
Read the rest of this entry »


Install XWindows (Graphical mode) in Linux

September 6th, 2012 4 Comments »

 

If you recently installed linux (CentOS/Fedora/RedHat) with text mode and now want to use its Graphical GUI which was left unchecked during the installation, you can install it from Internet very easily.

Read the rest of this entry »