Resolved FTP not work to Plesk Firewall

[DarkKikies]

Like title, FTP not connect when Plesk Firewall is active.


The rules of firewall is this:

#!/bin/bash
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true

apply_rule()
{
    iptables_bin="$1"
    shift

    iptables_version=`/sbin/iptables --version | awk -F '.' '{print $2$3}'`

    # Use the native --wait option since v1.4.20
    if [ $iptables_version -gt 420 ]; then
        $iptables_bin -w $@ 2>/dev/null
        return $?
    fi

    # Emulate --wait for elderly versions
    for i in `seq 10`; do
        $iptables_bin $@ 2>&1 | grep -q xtable || return 0
        sleep 1
    done

    return 1
}

/sbin/iptables-save  -t filter | grep -- "-A INPUT" |  grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/iptables -D#g" | xargs -0 echo -e "`declare -f apply_rule`\n" | /bin/bash

apply_rule /sbin/iptables -F FORWARD
apply_rule /sbin/iptables -F OUTPUT
apply_rule /sbin/iptables -Z FORWARD
apply_rule /sbin/iptables -Z OUTPUT

apply_rule /sbin/iptables -P INPUT DROP
apply_rule /sbin/iptables -P OUTPUT DROP
apply_rule /sbin/iptables -P FORWARD DROP

apply_rule /sbin/iptables -A INPUT -i lo  -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT


apply_rule /sbin/iptables -A INPUT -p tcp --dport 12443 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 11443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 11444 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 103.21.244.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 103.22.200.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 103.31.4.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 104.16.0.0/12 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 108.162.192.0/18 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 131.0.72.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 141.101.64.0/18 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 162.158.0.0/15 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 172.64.0.0/13 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 173.245.48.0/20 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 188.114.96.0/20 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 190.93.240.0/20 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 197.234.240.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 198.41.128.0/17 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 199.27.128.0/21 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 103.21.244.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 103.22.200.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 103.31.4.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 104.16.0.0/12 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 108.162.192.0/18 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 131.0.72.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 141.101.64.0/18 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 162.158.0.0/15 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 172.64.0.0/13 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 173.245.48.0/20 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 188.114.96.0/20 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 190.93.240.0/20 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 197.234.240.0/22 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 198.41.128.0/17 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 199.27.128.0/21 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 110 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 995 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 143 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 993 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 5432 -s 127.0.0.1 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP

apply_rule /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
apply_rule /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP

apply_rule /sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -j DROP

apply_rule /sbin/iptables -A OUTPUT -j ACCEPT

apply_rule /sbin/iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
#
# End of script
#

What do I need to add to fix this problem?



Error: Connection timeout after 20 seconds of inactivity
Error: Can not connect to server



This is information to version of plesk:
Plesk Onyx
Versione 17.0.17 Aggiorna #22

The OS
SO: ‪Ubuntu 14.04.5 LTS‬

The log file is empty

The Client software is FileZilla.

 

[UFHH01]

Hi DarkKikies,

pls. consider to provide MORE informations, if you experience issues/errors/problems. People willing to help you can't guess your operating system, the current used Plesk version ( incl. #MU ) and we are not able to guess, what FTP - software you might use to connect to your server.

In addition, you should consider to investigate issues/errors/problems with the help of LOG - FILES and configuration files, because this will mostly point you directly to a possible root cause.

=> Plesk for Linux services logs and configuration files ( KB - article: 213403509 )​

In your described case, there might be the root cause, that you didn't use passive ports, or/and didn't configure the passive ports for ProFTPd. Pls. consider to read the suggestion from @Peter Debik at: => #2

 

[DarkKikies]

I add the information, but I fix the problem with this post #2

Thanks

 

[Pankaj K]

yes passive port range should be enabled in the FIrewall in order to make it work