LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables rule for ftp (https://www.linuxquestions.org/questions/linux-networking-3/iptables-rule-for-ftp-492459/)

dcdbutler 10-14-2006 07:54 PM
iptables rule for ftp
 
Hi,
I was wondering if someone could suggest a rule or combination of rules to allow vsftpd to work behind iptables? It works when the firewall is down.
This is the rule I have at the moment which is not working

Code:
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
I'm using vsftpd to allow local users access to a shared folder.

my vsftp.conf file:

Code:
anonymous_enable=NO
local_enable=YES
write_enable=NO
local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
ftpd_banner=Welcome to the back-side of eternity: Unauthorised use PROHIBITED
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
ls_recurse_enable=YES
listen=YES
anon_max_rate=40000
local_max_rate=40000
#listen_port=2121
pam_service_name=vsftpd
#userlist_enable=YES
check_shell=NO
Thanks

musicman_ace 10-14-2006 08:21 PM
You'll need both the control and data ports (20,21). But this bring in the Active or Passive ftp server arguement. I'd have to google it, but one of them opens a dynaic random port while the other only uses the (20,21) ports.

dcdbutler 10-14-2006 08:48 PM
OK, I think I might be getting somewhere.

Code:
modprobe ip_conntrack_ftp
seems to solve the connection problem with passive ftp.

Any suggestions for improved iptables rules are still welcome.

Cheers

billymayday 10-14-2006 08:49 PM
And you generally need an ESTABLISHED,RELATED rule to deal with the dymanic higher ports

jcliburn 10-14-2006 09:29 PM
In vsftpd.conf, use pasv_min_port and pasv_max_port to establish a range of passive ports you'd like to use. Then add a rule in iptables that unblocks those ports.

Example:
vsftpd.conf
pasv_enable=YES
pasv_min_port=11001
pasv_max_port=11010

iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 11001:11010 -j ACCEPT

dcdbutler 10-15-2006 12:12 PM
Quote:
Originally Posted by jcliburn
.......
pasv_enable=YES
pasv_min_port=11001
pasv_max_port=11010

-A INPUT -p tcp --dport 11001:11010 -j ACCEPT
I think this helped deal with another problem I was having for local user access. Users were getting prompted for passwords at unusual times, for example, when trying to descend into a sub-directory within the root directory, I think this must have been because passive connections were being lost.

Thanks


All times are GMT -5. The time now is 12:56 AM.