1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

FTP passive mode not working

Discussion in 'Plesk for Linux - 8.x and Older' started by raulcarvalho, Jun 13, 2006.

  1. raulcarvalho

    raulcarvalho Guest


    I am having troubles setting up my firewall to automatically open necessary ports in iptables.

    While using FC4 as my host OS, I edited the /etc/sysconfig/iptables-configure file and added the required ip_conntrack_ftp module to this configuration, by means of adding the line:

    The module gets loaded ok, but passive FTP still doesn't get through, meaning that something is preventig this module from working properly, but I don't know what :-(

    Since I am using Plesk's firewall module, I can't do much with the firewall configuration, but I was hoping that at least passive FTP should work after the module gets loaded!

    From what I could read, the connection state matters a lot in this case, and I can see the following lines in the firewall script:

    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    So, I assume I have all that is needed... but it doesn't work.

    This is the status of my Firewall rules as seen in Plesk (no custom rules):


    Please help.

    Thank you,
  2. raulcarvalho

    raulcarvalho Guest

    Is TLS the source of the problem?

    I just found out that using TLS ip_conntrack_ftp will not be able to look for the PORT command, since the connection is encrypted!

    Is this true?
    Is there any way I can use TLS and Passive FTP?

  3. raulcarvalho

    raulcarvalho Guest

    Solution, hope it might help someone else...

    Hello again.

    After some more internet research, I found out that what I was trying to do is not possible, at least not the way I wanted at first.

    I need a secure (control and data) FTP server with TLS and the ability to accept connections from behind firewalled clients, using passive mode and the ip_conntrack_ftp kernel module.

    This is not possible because ip_conntrack_ftp module cannot peek the PORT command, since the control channel is encrypted. (There is a way to unencrypt the channel after login, using the FTP CCC command from the client, but I need both channels encrypted all the time, so this was not an option)

    The only solution is to have a passive port range permanently open in the firewall.

    As I want to keep the firewall module installed, I use a small trick to enable the port range in plesk firewall module.

    First, I created a firewall rule to open incoming tcp 49152.

    Second, I created a script that searches the iptables rules and replaces this one rule with the port range 49152:65534.

    This is the code I'm using (any improvements are very welcome!):

    N=`/sbin/iptables -L INPUT --line-numbers | grep 49152 | sed -e 's/\s.*//'`
    /sbin/iptables -R INPUT $N -p tcp --dport 49152:65534 -j ACCEPT
    Obviously, this only works if 49152 only appears once in the INPUT chain (grep matches only one line), but that's my case anyway.

    Finally, I put this script into cron.quarter-hourly just to ensure that the rule gets replaced in the event I need to mess with the firewall from the plesk interface.

    I also call this script from rc.local to replace the rule immediately on server restart.

    Best regards,
  4. JoaoCorreia

    JoaoCorreia Guest

    ****ing tired of this **** !!!!

    I allready told SW-SOFT to fix this ! Its amazing !

    Add this line in /etc/proftpd.conf
    PassivePorts 49152 65534

    After change you iptables acordingly !

    Joao Correia