Linode Forum :: Arch Linux - iptables and passive ftp

Linode Forum https://forum.linode.com/

Arch Linux - iptables and passive ftp https://forum.linode.com/viewtopic.php?f=19&t=9438	Page 1 of 1

Author:

danlee [ Mon Oct 08, 2012 1:41 am ]

Post subject:

Arch Linux - iptables and passive ftp

I am having a lot of trouble getting passive ftp working nicely with iptables. Before anyone replies, I am not looking for an alternative to ftp. I know of alternatives, but I require ftp.

These are my firewall rules.

Code:

iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables -A TCP -p tcp --dport 41144 -j ACCEPT
iptables -A TCP -p tcp --dport 443 -j ACCEPT
iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A TCP -p tcp --dport 25 -j ACCEPT
iptables -A TCP -p tcp --dport 22 -j ACCEPT
iptables -A TCP -p tcp --dport 21 -j ACCEPT
iptables -A UDP -p udp --dport 443 -j ACCEPT
iptables -A UDP -p udp --dport 80 -j ACCEPT

I have verified via /proc/config.gz that the modules needed are loaded. Such as nf_conntrack_ftp.

With iptables turned off, ftp works without problems. With iptables turned on, ftp passive mode does not work.

I created a conf file in /etc/modprobe.d/ called ip_conntrack_ftp.conf and added the following:

Code:

options nf_conntrack_ftp ports=21
options nf_nat_ftp ports=21
options ip_conntrack_ftp ports=21
options ip_nat_ftp ports=21

Nothing seems get passive port working. I can see the ftp port connection listening with "netstat -tapn" when my ftp client initiates a PASV connection. But it just hangs.

I would like to get this working without having to open the full range of PASV ports. Any suggestions would be appreciated.

Author:	mparson [ Mon Oct 08, 2012 12:57 pm ]
Post subject:	Re: Arch Linux - iptables and passive ftp
On a RedHat based distro (I don't now Archlinux, sorry), I would tell you to check your /etc/sysconfig/iptables-config file and make sure you are loading the right ip_conntrack modules: IPTABLES_MODULES=”ip_conntrack ip_conntrack_ftp”

Author:	danlee [ Mon Oct 08, 2012 1:01 pm ]
Post subject:	Re: Arch Linux - iptables and passive ftp
I switched to the default linux kernel in arch linux using pv_grub. I can now see with lsmod that the modules are loaded, but still no go

Author:	Nevstah [ Mon Oct 29, 2012 4:43 am ]
Post subject:	Re: Arch Linux - iptables and passive ftp
hi i'm no expert, but i dont see any rules for a range of higher ports required for passive ftp. there are usually defaults set in your ftp server (which you can change) and often configurable within your ftp client also hope this helps nevstah

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/