ProFTPd, Redhat 8.0 and passive mode

Slasher · 02-17-2003, 07:28 AM

Hi,

Trying to configure proftpd on my redhat 8.0 box, and I can't get passive mode to work.

If I try "ftp localhost 13795" (why port 21) on the server, I can log in, list directories, upload, download, the works.

I I try "ftp IP 13795" from another machine, I can log on, but directory listing fails because of passive mode. Here the output:

ftp> dir
227 Entering Passive Mode (129,241,209,135,199,177).
ftp: connect: Connection refused

As you can see, the server has public ip. I have forwarded the connection port (13795) and a port range 51000-51999 in the redhat security level program, and set the "PassivePorts 51000 51999" in proftpd.conf. I'm running proftpd from xinetd by the way.

The syntax I used for redhat's security level program was "51000-51999:tcp".

I've read numerous readme files, searched the net and LQ, and still I'm stumped. If anyone has some idea to what I'm doing wrong, I'd be grateful.

Thanks for reading.

Slasher · 02-18-2003, 09:06 AM

Quick update: I'm pretty confident that the problem is the redhat-config-securitylevel program. It appears that it accept the syntax "51000-51999:tcp", but only opens 51000:tcp. I've had no success in finding the synopsys for this, either with google or redhat's search.

unique3 · 02-25-2003, 09:00 PM

I am having somewhat of the same problem excpet I know far less about it then you. I have proftpd installed on my server and recently I have been having problems connecting to it from ncftp on other linux boxes and from windows programs. When I try to use ncftp to connect it gives me an error saying it could not enter passive mode. Any ideas?

Thanks in advance

Slasher · 02-26-2003, 07:04 AM

Hi unique3,

This is probably the same problem I experienced. Luckily I found a solution

Here goes:

It was the redhat-config-securitylevel "firewall" program that was causing frustration. Like most (all?) firewall programs on linux, it's based upon iptables, witch is a powerful and highly configurable program, if one learns to use it. More info on iptables: http://www.iptables.org Basicly iptables determines the fate of packets sent and received on your computer.

The solution was to add a rule to the INPUT chain in iptables. A chain works as a set of rules, the first rule is checked first, if it doesn't apply, the second is checked and so on.

A simple example (INPUT chain, could be any chain):

ACCEPT tcp -- anywhere anywhere tcp dpts:80
ACCEPT tcp -- anywhere anywhere tcp dpts:22
DENY tcp -- anywhere anywhere tcp dpts:80

Let's say this is the INPUT chain (handles everything coming to your computer) The firs rule accept all packets on port 80 tcp (http). The second accept all SSH connections, tcp. The third rule tries to deny all incoming http packets,. This won't work, since the first rule already has acceptet all http packets.

A good way to set up a chain is then to have a set of rules to allow incoming packets on selected ports, and the last rule on the chain to deny all:

ACCEPT tcp -- anywhere anywhere tcp dpts:80
ACCEPT tcp -- anywhere anywhere tcp dpts:22
DENY tcp -- anywhere anywhere tcp dpts:80
REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable

Almost at the end now

What I did (simple enough), was to add a rule to the INPUT chain:

ACCEPT tcp -- anywhere anywhere tcp dpts:51000:51999

The command to do so is:

# iptables -I INPUT 6 -p TCP --dport 51000:51999 -j ACCEPT

This adds a rule to the INPUT chain, position 6 from the top, allows all packets from all ip's on port 51000-51999 (my passive port range in proftpd). The position is important, since the last two rules of my chain denys everything on all ports from all ip's, tcp and udp respectivly.

Hope this was helpful, and perhaps even understandable. Sorry for any bad english

Hangdog42 · 02-26-2003, 07:44 AM

Slasher, that is quite possibly the clearest explanation of iptables I've read. I've been struggling with it for quite some time and only "got it" after reading your post.

Thanks!

Slasher · 02-26-2003, 10:31 AM

Glad to be of help

unique3 · 02-26-2003, 12:15 PM

Thanks for the explination but I have just one more question, you used ports 51000:51999 because they are you passive ports.
Where and how would I check what my passive ports are or are they standard?

Again thanks for the explination, I actually understand what you are talking about and thats pretty amazing

Slasher · 02-26-2003, 12:27 PM

Hi again unique3,

I chose ports 51000-51999 because they are not used for any other service. Actually anything over 50000 is ok. Choose as many ports as you need.

In your proftpd.conf file, you should put in the following code:

Code:

PassivePorts 51000 51999

This could be inside <Global> (like I have) or you could specify individual passive ports for each virtual server if you run multiple servers.

This is part of my proftpd.conf file:

Code:

<Global>
        PassivePorts 51000 51999
</Global>

Hope it works out for you

jordib · 05-09-2008, 08:06 AM

And if I need to access the server both from an internal private IP address, when used from the local network, and from a IP public address, when used from the Internet?

Should I duplicate the server setup within a different VirtualServer for the public IP and the private IP?

Is there any way to access the server always from the public IP (this does not work with the gateway I use).

The proFTPD server is in a DMZ.

MasqueradeAddress is specified as the public IP address of the gateway to Inet.

More information:

http://www.linuxquestions.org/questi...blems-639854/?

Hangdog42 · 05-09-2008, 11:11 AM

Why don't you start a new thread on your question. In general, digging up a five year old thread probably won't get you the answers you're looking for.

jordib · 05-09-2008, 04:08 PM

As you can see, I've opened a new thread. Within the last answer I cite the link.