1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

IPTables / Passive FTP problem

Discussion in 'Plesk for Linux - 8.x and Older' started by thedust2010, May 16, 2006.

  1. thedust2010

    thedust2010 Guest

    0
     
    I know there's been a few posts about this in the past, but they've been of no help to me. I'm trying to get proftpd and iptables to use passive FTP properly (right now the FTP is not functioning so quickly). Here is my IPTables file (/etc/sysconfig/iptables):

    Code:
    # Generated by iptables-save v1.2.11 on Fri May  5 15:14:36 2006
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [897:80050]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
    -A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
    -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 27406 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    -A RH-Firewall-1-INPUT -p tcp --dport 27000:27999 -j ACCEPT
    COMMIT
    # Completed on Fri May  5 15:14:36 2006
    
    The line at the end is the command I'm trying to use for opening up the ports for PASV use:

    Code:
    -A RH-Firewall-1-INPUT -p tcp --dport 27000:27999 -j ACCEPT
    
    Inside /etc/proftpd.conf I've placed:

    Code:
    PassivePorts                    27000 27999
    
    Obviously my IPTables configuration is messed up... does anyone have any advice or an IPTables script that works?
     
  2. chillax

    chillax Guest

    0
     
    Don't want to use the Plesk Firewall module?
     
  3. thedust2010

    thedust2010 Guest

    0
     
    I have heard much about this Plesk Firewall module but I don't know where it is... is it an additional add-on or something provided by a third-party?
     
  4. crossconnect

    crossconnect Guest

    0
     
    You need to load the ip_conntrack_ftp module. Make sure the IPTABLES_MODULES setting in /etc/sysconfig/iptables-config reads:

    IPTABLES_MODULES="ip_conntrack_ftp"

    This iptables module will scan the FTP control channel for the PORT command and automatically open the appropriate port on the firewall to allow the connection from the client (if you accept RELATED,ESTABLISHED packets). No need to add your own rule for passive FTP ports.

    I can't remember if the Plesk module automatically does this. I abandoned it because of its lack of flexibility.
     
  5. thedust2010

    thedust2010 Guest

    0
     
    Wow it worked PERFECTLY. Thanks so much.

    I'm still curious about this Plesk Firewall module... I didn't know it existed. Is it accessible through the control panel?
     
  6. crossconnect

    crossconnect Guest

    0
     
    Click on System > Modules (left-hand sidebar) and the Firewall module should be listed there. All it does is generate an iptables firewall script. It allows you to configure simple allow/deny rules for each protocol, and that's about it.
     
Loading...