LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 11-09-2011, 01:00 AM   #1
dragonetti
LQ Newbie
 
Registered: Sep 2011
Posts: 18

Rep: Reputation: Disabled
ubuntu: iptables => "ip_conntrack_ftp" and changing default port (21) in proftpd


This is driving me crazy I really really hope someone can help me out.
I had proftpd running and working (with the default port 21).

But now I want to use IPTABLES in combination with a different FTP port.

I have the following
  • ip_conntrack_ftp , modprobe ip_conntrack and ip_nat_ftp
    I added these modules by in my "/etc/modules" file (1 module per line) and rebooted my UBUNTU VPS
  • My iptables looks like this: http://vpsbible.com/security/harden-...eate-firewall/
    Code:
    *filter
    #  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
    #  Accepts all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    #  Allows all outbound traffic
    #  You can modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT
    # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT
    #  Allows SSH connections
    # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
    -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
    # Allow ping
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    # log iptables denied calls
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    # Reject all other inbound - default deny unless explicitly allowed policy
    -A INPUT -j REJECT
    -A FORWARD -j REJECT
    COMMIT
    I added one extra rule (don't mind the below port number, I used another valid one)

    Code:
     
    -A INPUT -p tcp --dport 12345 -j ACCEPT
    In my proftpd configuration file I have correctly changed the default port from 21 to 12345.
  • My "/etc/network/interfaces" has the correct ipatables file: "pre-up iptables-restore < /etc/iptables.up.rules"

I seem to connect to my server to a certain degree but when the server connection procedure hits the following procedure
"Enerting passive mode" , "Get directory"

I get the below error

edit:
"get directory"
"500 Illegal port command"
"PORT command failed"

(I tried passive and active way in total commander I also tried in winscp but I also get errors there)

If I change back the default port to 21 (in the proftpd configuration file) I can not connect, which makes sense, because I havent made an exception in my firewall.
So if I add the port 21 in my iptables (see below) I can can connect AND upload/download files.

Code:
 
-A INPUT -p tcp --dport 21 -j ACCEPT
What am I missing? What am I doing wrong?

Thank you!!!!!

Last edited by dragonetti; 11-09-2011 at 01:49 AM.
 
Old 11-10-2011, 10:12 AM   #2
mikey99
Member
 
Registered: Nov 2008
Location: UK
Distribution: RHEL, Fedora
Posts: 68

Rep: Reputation: 12
Quote:
Originally Posted by dragonetti View Post
This is driving me crazy I really really hope someone can help me out.
I had proftpd running and working (with the default port 21).

But now I want to use IPTABLES in combination with a different FTP port.
You need to pass an option to the kernel module doing the connection tracking for ftp.

Edit /etc/modprobe.conf

Add the following...
Code:
options ip_conntrack_ftp ports=21,12345
Let me know if it works
Mike.
 
1 members found this post helpful.
Old 11-10-2011, 11:13 AM   #3
dragonetti
LQ Newbie
 
Registered: Sep 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
@mikey99

!!!!!THANK YOU!!!!!

I read somewhere about a .conf file that must have the "option...." in /etc/modprobe.conf
I tried to find the "modprobe.conf" file but I couldn't find it on my ubuntu VPS, which let me to believe ubuntu uses a completely different method...

After your post I tried again, I googled and found this page:
http://manpages.ubuntu.com/manpages/...modules.8.html

So I created an empty file "conntrack.conf" in the directory "/etc/modprobe.d"
and added your info:
[quote]
options ip_conntrack_ftp ports=21,12345
[quote]

rebooted my VPS ... and it worked!!! ... it just worked!!!!!!!!!!

Thanks again man!!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
changing default directory on "vsftp" server xone Linux - Software 4 01-07-2014 02:07 PM
Changing the default "Documents" folder Johng Linux - Desktop 6 06-01-2009 07:19 AM
IPTables "Best Practice" default rule set robinBones Linux - Networking 2 01-09-2008 08:11 AM
ProFTPd- "Illegal PORT Command" JCdude2525 Linux - Networking 5 12-06-2004 05:42 AM
Kdevelop: Changing my programs default "make install" dir DeTHZiT Programming 0 09-26-2004 01:06 PM


All times are GMT -5. The time now is 05:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration