IPTables / Passive FTP problem

[thedust2010]

I know there's been a few posts about this in the past, but they've been of no help to me. I'm trying to get proftpd and iptables to use passive FTP properly (right now the FTP is not functioning so quickly). Here is my IPTables file (/etc/sysconfig/iptables):

# Generated by iptables-save v1.2.11 on Fri May  5 15:14:36 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [897:80050]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 27406 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp --dport 27000:27999 -j ACCEPT
COMMIT
# Completed on Fri May  5 15:14:36 2006

The line at the end is the command I'm trying to use for opening up the ports for PASV use:

-A RH-Firewall-1-INPUT -p tcp --dport 27000:27999 -j ACCEPT

Inside /etc/proftpd.conf I've placed:

PassivePorts                    27000 27999

Obviously my IPTables configuration is messed up... does anyone have any advice or an IPTables script that works?

 

[chillax]

Don't want to use the Plesk Firewall module?

 

[thedust2010]

I have heard much about this Plesk Firewall module but I don't know where it is... is it an additional add-on or something provided by a third-party?

 

[crossconnect]

You need to load the ip_conntrack_ftp module. Make sure the IPTABLES_MODULES setting in /etc/sysconfig/iptables-config reads:

IPTABLES_MODULES="ip_conntrack_ftp"

This iptables module will scan the FTP control channel for the PORT command and automatically open the appropriate port on the firewall to allow the connection from the client (if you accept RELATED,ESTABLISHED packets). No need to add your own rule for passive FTP ports.

I can't remember if the Plesk module automatically does this. I abandoned it because of its lack of flexibility.

 

[thedust2010]

Wow it worked PERFECTLY. Thanks so much.

I'm still curious about this Plesk Firewall module... I didn't know it existed. Is it accessible through the control panel?

 

[crossconnect]

Click on System > Modules (left-hand sidebar) and the Firewall module should be listed there. All it does is generate an iptables firewall script. It allows you to configure simple allow/deny rules for each protocol, and that's about it.