FTP passive mode not working

[raulcarvalho]

Hello,

I am having troubles setting up my firewall to automatically open necessary ports in iptables.

While using FC4 as my host OS, I edited the /etc/sysconfig/iptables-configure file and added the required ip_conntrack_ftp module to this configuration, by means of adding the line:

IPTABLES_MODULES="ip_conntrack_ftp"

The module gets loaded ok, but passive FTP still doesn't get through, meaning that something is preventig this module from working properly, but I don't know what :-(

Since I am using Plesk's firewall module, I can't do much with the firewall configuration, but I was hoping that at least passive FTP should work after the module gets loaded!

From what I could read, the connection state matters a lot in this case, and I can see the following lines in the firewall script:

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

So, I assume I have all that is needed... but it doesn't work.

This is the status of my Firewall rules as seen in Plesk (no custom rules):

http://public.raulcarvalho.mailcan.com/firewall.png

Please help.

Thank you,
Raul

 

[raulcarvalho]

Is TLS the source of the problem?

I just found out that using TLS ip_conntrack_ftp will not be able to look for the PORT command, since the connection is encrypted!

Is this true?
Is there any way I can use TLS and Passive FTP?

Regards,
Raul

 

[raulcarvalho]

Solution, hope it might help someone else...

Hello again.

After some more internet research, I found out that what I was trying to do is not possible, at least not the way I wanted at first.

I need a secure (control and data) FTP server with TLS and the ability to accept connections from behind firewalled clients, using passive mode and the ip_conntrack_ftp kernel module.

This is not possible because ip_conntrack_ftp module cannot peek the PORT command, since the control channel is encrypted. (There is a way to unencrypt the channel after login, using the FTP CCC command from the client, but I need both channels encrypted all the time, so this was not an option)

The only solution is to have a passive port range permanently open in the firewall.

As I want to keep the firewall module installed, I use a small trick to enable the port range in plesk firewall module.

First, I created a firewall rule to open incoming tcp 49152.

Second, I created a script that searches the iptables rules and replaces this one rule with the port range 49152:65534.

This is the code I'm using (any improvements are very welcome!):

N=`/sbin/iptables -L INPUT --line-numbers | grep 49152 | sed -e 's/\s.*//'`
/sbin/iptables -R INPUT $N -p tcp --dport 49152:65534 -j ACCEPT

Obviously, this only works if 49152 only appears once in the INPUT chain (grep matches only one line), but that's my case anyway.

Finally, I put this script into cron.quarter-hourly just to ensure that the rule gets replaced in the event I need to mess with the firewall from the plesk interface.

I also call this script from rc.local to replace the rule immediately on server restart.

Best regards,
Raul

 

[JoaoCorreia]

****ing tired of this **** !!!!

I allready told SW-SOFT to fix this ! Its amazing !

Add this line in /etc/proftpd.conf
PassivePorts 49152 65534

After change you iptables acordingly !

Regards
Joao Correia