Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Proftpd vs iptables
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Proftpd vs iptables

WInterntWInternt Member
edited June 2013 in Help

Hi

For some reason I can't understand I'm having problems connection to FTP server!

My filezilla client can connect to the server but then it gives an error:

Response:    227 Entering Passive Mode (192,168,234,128,211,102)
Command:    MLSD
Error:    Connection timed out
Error:    Failed to retrieve directory listing

IPTABLES Rules:

*filter

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT


iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#FTP
-A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT


#SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#TS3 Server
iptables -A INPUT -p udp --dport 9987 -j ACCEPT  --> TS3
iptables -A INPUT -p tcp --dport 10011 -j ACCEPT  --> TS3
iptables -A INPUT -p tcp --dport 30033 -j ACCEPT  --> TS3
iptables -A INPUT -p udp --dport 30033 -j ACCEPT  --> TS3

#MTA Server
iptables -A INPUT -p tcp --dport 22005 -j ACCEPT --> MTA
iptables -A INPUT -p udp --dport 22003 -j ACCEPT --> MTA
iptables -A INPUT -p udp --dport 22126 -j ACCEPT --> MTA 


#Minecraft Server
iptables -A INPUT -p udp --dport 25565 -j ACCEPT --> Minecraft

Can someone teach me what is wrong here?

Thanks!

Comments

  • MicrolinuxMicrolinux Member

    http://slacksite.com/other/ftp.html#passive

  • WInterntWInternt Member

    @Microlinux said:
    http://slacksite.com/other/ftp.html#passive

    Can't open that site ... seems down here

  • prae5prae5 Member

    Site works fine here.

    In summary, passive ftp uses a range of dynamic ports (above port 1024). You need to open up more than 20 and 21. Typically you can usually set the range in the ftp daemon.

  • prae5prae5 Member

    http://www.proftpd.org/docs/directives/linked/config_ref_PassivePorts.html

  • WInterntWInternt Member

    I tried that before... And didn't work..

  • MakenaiMakenai Member

    Have you tried loading the ip_conntrack_ftp module?

  • erhwegesrgsrerhwegesrgsr Member
    edited June 2013

    you need to open passive (udp) ftp ports (specified in your proftpd config)

  • natestammnatestamm Member

    This is not a port issue, I've seen this lots before. Let me see if I can check old notes for ya.


    Try first allowing local logins in proftpd conf. I'll update if I can find it.

  • praveenpraveen Member

    Try uncommenting the below line in proftpd config file

    PassivePorts 49152 65534

    and add this rule to iptables

    -A INPUT -m state --state NEW -m tcp -p tcp --dport 49152:65534 -j ACCEPT

  • natestammnatestamm Member

    Hmm can't edit my posts right now..Any way I think @praveen got it I have seen directory listings fail on disallowed local logins But the passive port range is probably right.


    IMHO do iptables -A INPUT -p tcp -m tcp --dport 49152:65535 -j ACCEPT more closely follows your ruleset.

  • natestammnatestamm Member

    VSFTP can have the same issue if you don't specify pasv_min_port and pasv_max_port ranges too fyi

  • BogdacutuuBogdacutuu Member

    The problem here is passive mode. It gives the client an internal IP address, which the client won't be able to connect to. You'll need to forward the ports for passive mode (as @praveen said) and configure MasqueradeAddress in proftpd.conf.

  • WInterntWInternt Member

    Doesn't work..

    I added the above rule, and I have the same ports on the config...

  • WInterntWInternt Member

    My problem is at the mod:

    modprobe ip_conntrack gives error:

    WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
    FATAL: Module ip_conntrack not found ubuntu

  • natestammnatestamm Member
    edited June 2013

    I'm not sure if you need modprobe. It may be OK to lose. Other wise configuring passive ports should help/work.


    May be some of the guys can chime in. In the past for older FTP client versions like old setups of Core FTP Lite I have had to specify a range within my server connection setup if for some reason a socket was being attempted out of the passive range I had specified..After entering passive mode. But that should not be the issue. It sounds to me like some thing is preventing your iptables from running properly. And if it isn't a module that you're missing, to be enabled from your node, I would look at disabling the reference to it in your iptables init script. Unless you need to track connection state from your iptables examples may be that's why I wouldn't be using the exact rules outlined above. Really is extra unless these guys can justify it and help you fix your modprobe issues. But that may be java talking.. And just for reference I have never had to mess with MasqueradeAddress. I manage right now five servers for clients at the moment. A few are using ProFTPD. Just my experience is all!




    Fellas any ideas here?

  • WInterntWInternt Member

    Solved :) Thanks for all the help ;)

Sign In or Register to comment.