Firewall and SELinux Configuration
Before you can begin using the FTP service, you need to make some firewall adjustments and SELinux changes. Let’s start with the firewall rules. FTP uses both TCP ports 20 and 21, which you can open on the firewall.
Step 1. Use the iptables command to create your firewall rules:
# iptables -I INPUT 5 -p tcp -m tcp —dport 20 -j ACCEPT
# iptables -I INPUT 5 -p tcp -m tcp —dport 21 -j ACCEPT
Step 2. Save the rules you just created:
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Step 3. Restart the firewall service for the changes to take effect:
# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
Now that the firewall rules are taken care of, let’s move on to SELinux.
Depending on what features you are trying to configure, you need to adjustSELinux accordingly. Table 17-1 presents the available options.
| Booleans | Description |
|---|---|
| ftp_home_dir | Allows FTP to read and write files in the users’ home directories. |
| allow_ftpd_full_access | Allows FTP servers to log in to local users and read/write all files on the system, governed by DAC. |
| allow_ftpd_use_nfs | Allows FTP servers to use NFS for public file transfer services. |
| allow_ftpd_anon_write | Allows FTP servers to upload files used for public file transferservices. Directories must be labeled public_content_rw_t . |
| ftpd_connect_db | Allows FTP servers to connect to the MySQL database. |
| allow_ftpd_use_cifs | Allows FTP servers to use CIFS for public file transfer services. |
| httpd_enable_ftp_server | Allows httpd to act as an FTP server by listening on the FTP port. |
For now, let’s enable the system users to have read/write access to the system.
Step 1. Query for the Boolean value you need to change:
# getsebool -a | grep ftpd_full
allow_ftpd_full_access --> off
Step 2. Disable the SELinux protection:
# setsebool -P allow_ftpd_full_access=1
Step 3. Verify that the Boolean has changed:
# getsebool -a | grep ftpd_full
allow_ftpd_full_access --> off
If you need to enable additional features for your FTP server, make sure to disable SELinux protection for that feature.