LinuxQuestions.org - passive ftp behind firewall

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - passive ftp behind firewall (https://www.linuxquestions.org/questions/linux-newbie-8/passive-ftp-behind-firewall-864468/)

passive ftp behind firewall

Hi

I have a ftp box behind a firewall (iptables). I'm using vsftpd and it works fine on local network but when accessing from outside (internet) isn't working. Vsftpd listens on port 543 and I've also opened ports 12000:12003 for passive mode.
pasv_min_port=12000
pasv_max_port=12003

On router I've made following rule:
iptables -A INPUT -i 192.168.7.128 -m state --state NEW,ESTABLISHED,RELATED -p TCP -s 81.196.50.75 -d 192.168.7.128 --dport 12000:12003 -j ACCEPT
but sadly it doesn't work.
On ftp machine I've stopped firewall.

Any advices will be welcome.

Thanks.

Can you post the output of iptables -L from your router, and your vsftpd.conf file?

iptables -L :

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2212
ACCEPT tcp -- 82.77.20.205 anywhere tcp dpt:ssh
ACCEPT tcp -- conextess2.iasi.rdsnet.ro anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

vsftpd.conf:

local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
#userlist_deny=NO
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
listen_port=543
#userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES
check_shell=NO
pasv_min_port=12000
pasv_max_port=12003

Ok you just need an iptable rule for FTP with connection tracking.

This one already shows that you have connection tracking setup.

Code:

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Add something like this

Code:

iptables -I INPUT 6 -p tcp --dport 21 -m state --state NEW -j ACCEPT

This should take care of your issue. When iptables sees that somebody is establishing a FTP connection on port 21, it will tag the request as NEW. Once the TCP handshake occurs it tags that connection as ESTABLISHED. If using passive, those extra ports 12000-12003 will be opened with the RELATED tag. Iptables will automatically add these ports in the background because they are RELATED to the original FTP rule that I have listed above.