You’ll need to configure the ip_conntrack_ftp iptables module to load. On Redhat/CentOS just edit /etc/sysconfig/iptables-config and add “ip_conntrack_ftp” to the IPTABLES_MODULES like this:

IPTABLES_MODULES="ip_conntrack_ftp"

Open firewall rule on port 21. Edit /etc/sysconfig/iptables. Make sure it appears before any reject statement.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [343:31474]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Restart iptable

[bash]# service iptables restart

vsftpd package is required for FTP Server. Check whether package is installed or not. If package is missing install it first.

[bash]# yum install vsftpd

Configure vsftpd service to start at boot

[bash]# chkconfig --level 2345 vsftpd on
[bash]# service vsftpd restart

Default configuration of vsftpd.conf already supports access from local users. However if you are running SELinux, you might run into the following error on login:

"500 OOPS: cannot change directory ...". 

Either disable SELinux or run the following commands

[bash]# /usr/sbin/setsebool -P ftp_home_dir 1

Restrict user from changing from their root directory. Edit /etc/vsftpd/vsftpd.conf

chroot_local_user=YES

Or if you want to disable normal user login. Edit /etc/vsftpd/vsftpd.conf and comment out the line.

# local_enable=YES

Default configuration of vsftpd.conf already supports anonymous-only download. But it also supports access from local users. When a user connects on the FTP server with anonymous username, actually that user connects on the server as a user named ftp. RHEL6 automatically create this account with following setting.

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

With these setting users are not allowed to login as the user named ftp. So they need to use anonymous as user name. So whenever an anonymous user logged in, he is taken to ftp user's home directory /var/ftp. So if you want to change the default directory associated with anonymous logins, change the home directory associated with the local user named ftp. Create a file on the root of the ftp directory /var/ftp/pub. This file will be downloaded by anonymous user.

[bash]# dd if=/dev/null of=/var/ftp/pub/file bs=1024 count=1000

If you are running Linux without SELinux that's all setting which we need for this exercise. SELinux is listed in RHCE6 exam objective. So if you have configured SELinux, also configure following boolean option.

[bash]# chcon -R -t public_content_t /var/ftp/pub/

However if you want to disable anonymous login if needed. Edit /etc/vsftpd/vsftpd.conf

anonymous_enable=NO

To install ftp client

[bash]# yum install ftp