Setting up Linux iptables for FTP PASV mode connections
Solution 1
If you load the kernel module ip_conntrack_ftp
this should help solve your problem. You can load the module with the following command
modprobe ip_conntrack_ftp
Solution 2
This one is not correct:
-A INPUT -p tcp --dport 50000:60000 -m state --state RELATED,ESTABLISHED -j ACCEPT
It should be :
-A INPUT -p tcp --dport 50000:60000 -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
Related videos on Youtube
![Daniela](https://i.stack.imgur.com/OWwOe.png?s=256&g=1)
Daniela
Updated on September 17, 2022Comments
-
Daniela almost 2 years
I've been doing numerous searches and have learned a little every time but have not found the solution to my problem.
I have vsftpd setup, using SSL/TLS ive got it working as I needed, but am unable to apply the iptable rules below. Primarily PASV mode does not work. With
iptables -F
everything works as expected. As soon as I apply the rules below it connects, but the client (CuteFTP) tries going into PASV mode it timesout.my ip tables rules are as follows:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # ssh -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # web -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # ssl #-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # subversion -A INPUT -p tcp -m tcp --dport 3690 -j ACCEPT # ftp + active ftp + pasv ftp -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,NEW -j ACCEPT -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 50000:60000 -m state --state RELATED,ESTABLISHED -j ACCEPT # mysql -A INPUT -p tcp -m tcp --dport 3306 -s 67.181.185.126 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -s 98.224.120.34 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -s 174.143.169.230 -j ACCEPT # ping -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j DROP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT
I load them using (for testing purposes):
iptables-restore < /etc/iptables.test.rules
For reference I am running Ubuntu 10.04 LTS additionally here are some outputs I get with the following commands:
lsmod
Module Size Used by xt_conntrack 2303 1 xt_helper 1155 0 nf_nat_ftp 1751 0 nf_nat 12653 1 nf_nat_ftp ipv6 220702 16 xt_state 1215 4 nf_conntrack_ftp 5108 1 nf_nat_ftp nf_conntrack_ipv4 9505 7 nf_nat nf_conntrack 43972 7 xt_conntrack,xt_helper,nf_nat_ftp,nf_nat,xt_state,nf_conntrack_ftp,nf_conntrack_ipv4 iptable_filter 2218 1 ip_tables 13794 1 iptable_filter nf_defrag_ipv4 1051 1 nf_conntrack_ipv4 dm_mirror 11338 0 dm_region_hash 6224 1 dm_mirror dm_log 7341 2 dm_mirror,dm_region_hash dm_snapshot 23956 0 dm_mod 50258 3 dm_mirror,dm_log,dm_snapshot
locate _ftp
/lib/modules/2.6.33.5-rscloud/kernel/net/ipv4/netfilter/nf_nat_ftp.ko /lib/modules/2.6.33.5-rscloud/kernel/net/netfilter/ipvs/ip_vs_ftp.ko /lib/modules/2.6.33.5-rscloud/kernel/net/netfilter/nf_conntrack_ftp.ko /lib/security/pam_ftp.so /usr/share/man/man8/pam_ftp.8.gz
Additionally my vsftpd.conf passive ports are set as follows:
pasv_min_port=50000 pasv_max_port=60000
I've also tried loading the module with
modprobe ip_conntrack_ftp
but that does not appear to work. Via the out put above it seems like the module isn't even on the system or is superseded bynf_conntrack_ftp
... nf_ modules ...FINAL EDIT
So I think I found my answer: http://www.shorewall.net/FTP.html#Conntrack
Because the ftp helper modules must read and modify commands being sent over the command channel, they won't work when the command channel is encrypted through use of TLS/SSL.
Additionally another interesting fact which was causing some confusion was why I had
nf_conntrack
vsip_conntrack
.If you are running kernel 2.6.19 or earlier, then the module names are ip_nat_ftp and ip_conntrack_ftp
test with
uname -r
(gets the kernel version)I've tested the above by disabling TLS/SSL and PASV works just fine with
RELATED,ESTABLISHED
. However the main reason I want to use TLS/SSL is so that username/passwords would not be sent in the clear. -
Daniela over 13 yearsthx Sim, but my passive ports appear to be set correctly in /etc/vsftpd.conf
-
Daniela over 13 yearsive tried loading the module that way as well, its a no go, as you can see the module isnt even on the system... just the nf_conntrack_ftp module(s) and they appear to already be loaded
-
poige over 13 yearsWell, if it fails to work for you, then just correct this mistake
-A INPUT -p tcp --dport 50000:60000 -m state --state RELATED,ESTABLISHED -j ACCEPT
to "--state NEW", since passive connections are in no way are ESTABLISHED in the very beginning. They're NEW (in fact RELATED should work as well, but you say it doesn't). -
Daniela over 13 yearsI did try NEW as well, and although adding NEW to the list does indeed work, I was worried about security, are there any security implications with that?
-
poige over 13 yearsSurely it will since if you would use sshd with port in 50000:60000 range, it will be open cause your firewall doesn't know which application would handle traffic it receives on. But that's nasty FTP proto, alas. If you're assured nothing but FTP daemon would ever listen on those ports, you're safe. P. S. You can try also direct specifying ftp-helper
-A INPUT -p tcp --dport 50000:60000 -m state --state RELATED -m helper --helper "ftp"
, but I guess it wouldn't work either, since RELATED used solely didn't. -
Daniela over 13 yearsSo I think I found my answer: shorewall.net/FTP.html#Conntrack >> "Because the ftp helper modules must read and modify commands being sent over the command channel, they won't work when the command channel is encrypted through use of TLS/SSL."
-
Daniela over 13 years@poige, if you amend your initial answer to include your comments above, I will except your answer...
-
Keeper over 7 yearsThere are changes in kernel >= 4.7 which need some additional changes for this to work:
echo "1" > /proc/sys/net/netfilter/nf_conntrack_helper
, see this question for details.