4

I am using vsftpd with active ftp. I have module "ip_conntrack_ftp" (in /etc/sysconfig/iptables-config) on and port 21 is open. Connecting with FTP works, but FTPS doesn't. I can login but get no listing:

227 Entering Passive Mode
LIST -a

When stopping the firewall it works (I mean iptables on the ftp server itself). I read in http://www.experts-exchange.com/Software/Server_Software/File_Servers/FTP/Q_22418222.html that it's not possible to use FTPS with active FTP. Is this true?

My iptables configuration:

*filter
:INPUT DROP [15:2752]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [132:159725]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 990 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 989 -j ACCEPT
COMMIT
Castaglia
  • 3,349
  • 3
  • 21
  • 42
user74952
  • 71
  • 1
  • 1
  • 7

3 Answers3

5

I have run in to this issue. It looks like you need to open up the ftp data transfer range of ports when using FTP with explicit TLS/SSL. Try the following:

iptables -A INPUT -p tcp --sport 1024: --dport 64000:65535 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 64000:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
  • This doesn't work for me. This looks incorrect as you cannot guarantee the client will use a port above 64000. Thanks. – user74952 Feb 21 '12 at 14:48
  • Can you elaborate what it is not working? I have just run the above commands and they work correctly. You generally have to open these range ports [via this article.](http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users) –  Feb 21 '12 at 14:59
  • Good reference! A have now: – user74952 Feb 21 '12 at 15:24
  • Can you post any error messages you are receiving when connecting to the server. –  Feb 21 '12 at 15:36
  • 4
    I have now "227 Entering Passive Mode" followed by "LIST -a". Same thing. In the document you reference, in file vsftpd_virtual_config_withTLS.sh I see they use "pasv_max_port" and "pasv_min_port". I thought these options were only usable for passive ftp connections. I should have sent the vsftpd.conf configuration file. It works now. Thanks! – user74952 Feb 21 '12 at 15:38
5

You need to explicitly allow access to ftp-data incoming port range. Nic's answer recommends statically opening the full range, but that might be too open. Besides, RELATED is useless in this case because conntrack_ftp module can't snoop an encrypted control connection.

My recommendation is to use the recent match. Try the following:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state NEW -j in_new
iptables -A in_new -p tcp --sport 1024: --syn --dport 64000:65535 -m recent --name ftpdata --update --seconds 1800 --reap -j ACCEPT
iptables -A in_new -p tcp               --syn --dport ftp         -m recent --name ftpdata --set -j ACCEPT

The --setrule will be matched by control connection and will add the source ip to ftpdata recent list. The --update rule will do most of the interesting work:

  • Will match if the source address of the packet is in the ftpdata list (--update) and the source addres was seen within the last 1800 seconds (--seconds 1800).
  • If matched, the "last seen" timestamp of the source address will be updated (--update).
  • Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).

So, after the control connection was ACCEPTed, you have 1800 seconds to initiate data connections. After that time you will need to reopen the control connection to get the source address re-added to the ftpdata list.

An inconvenience of this solution if that ftp clients would not be able to initiate data connections after 1800 seconds of their last control connection establisment time. You could use 24h if you like, it will be less opened anyways than having the full port range permanently opened. You can also have a sequence like:

iptables -A INPUT -m state --state ESTABLISHED -p tcp --dport ftp -m recent --set
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

to refresh the source address whenever an established control connection packet comes in but I prefer to have the --state RELATED,ESTABLISHED rule near the top.

Check also accept_timeout, data_connection_timeout and idle_session_timeout params of vsftpd.conf.

mmoya
  • 284
  • 2
  • 8
0

Add the below line into /etc/sysconfig/iptables

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p 
                                            tcp --dport 64000:65535 -j ACCEPT

Restart the iptables

gideon
  • 1,145
  • 2
  • 13
  • 28
Md. Mansoor
  • 1