Setting up Linux iptables for FTP PASV mode connections

I've been doing numerous searches and have learned a little every time but have not found the solution to my problem.

I have vsftpd setup, using SSL/TLS ive got it working as I needed, but am unable to apply the iptable rules below. Primarily PASV mode does not work. With iptables -F everything works as expected. As soon as I apply the rules below it connects, but the client (CuteFTP) tries going into PASV mode it timesout.

my ip tables rules are as follows:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# web
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

# ssl
#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# subversion
-A INPUT -p tcp -m tcp --dport 3690 -j ACCEPT

# ftp + active ftp + pasv ftp
-A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,NEW -j ACCEPT
-A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 50000:60000 -m state --state RELATED,ESTABLISHED -j ACCEPT

# mysql
-A INPUT -p tcp -m tcp --dport 3306 -s 67.181.185.126 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -s 98.224.120.34 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -s 174.143.169.230 -j ACCEPT

# ping
-A INPUT -p icmp -j ACCEPT


-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

I load them using (for testing purposes):

iptables-restore < /etc/iptables.test.rules

For reference I am running Ubuntu 10.04 LTS additionally here are some outputs I get with the following commands:

lsmod

Module                  Size  Used by
xt_conntrack            2303  1
xt_helper               1155  0
nf_nat_ftp              1751  0
nf_nat                 12653  1 nf_nat_ftp
ipv6                  220702  16
xt_state                1215  4
nf_conntrack_ftp        5108  1 nf_nat_ftp
nf_conntrack_ipv4       9505  7 nf_nat
nf_conntrack           43972  7 xt_conntrack,xt_helper,nf_nat_ftp,nf_nat,xt_state,nf_conntrack_ftp,nf_conntrack_ipv4
iptable_filter          2218  1
ip_tables              13794  1 iptable_filter
nf_defrag_ipv4          1051  1 nf_conntrack_ipv4
dm_mirror              11338  0
dm_region_hash          6224  1 dm_mirror
dm_log                  7341  2 dm_mirror,dm_region_hash
dm_snapshot            23956  0
dm_mod                 50258  3 dm_mirror,dm_log,dm_snapshot

locate _ftp

/lib/modules/2.6.33.5-rscloud/kernel/net/ipv4/netfilter/nf_nat_ftp.ko
/lib/modules/2.6.33.5-rscloud/kernel/net/netfilter/ipvs/ip_vs_ftp.ko
/lib/modules/2.6.33.5-rscloud/kernel/net/netfilter/nf_conntrack_ftp.ko
/lib/security/pam_ftp.so
/usr/share/man/man8/pam_ftp.8.gz

Additionally my vsftpd.conf passive ports are set as follows:

pasv_min_port=50000
pasv_max_port=60000

I've also tried loading the module with modprobe ip_conntrack_ftp but that does not appear to work. Via the out put above it seems like the module isn't even on the system or is superseded by nf_conntrack_ftp ... nf_ modules ...

FINAL EDIT

So I think I found my answer: http://www.shorewall.net/FTP.html#Conntrack

Because the ftp helper modules must read and modify commands being sent over the command channel, they won't work when the command channel is encrypted through use of TLS/SSL.

Additionally another interesting fact which was causing some confusion was why I had nf_conntrack vs ip_conntrack.

If you are running kernel 2.6.19 or earlier, then the module names are ip_nat_ftp and ip_conntrack_ftp

test with uname -r (gets the kernel version)

I've tested the above by disabling TLS/SSL and PASV works just fine with RELATED,ESTABLISHED. However the main reason I want to use TLS/SSL is so that username/passwords would not be sent in the clear.

thx Sim, but my passive ports appear to be set correctly in /etc/vsftpd.conf

ive tried loading the module that way as well, its a no go, as you can see the module isnt even on the system... just the nf_conntrack_ftp module(s) and they appear to already be loaded

Well, if it fails to work for you, then just correct this mistake -A INPUT -p tcp --dport 50000:60000 -m state --state RELATED,ESTABLISHED -j ACCEPT to "--state NEW", since passive connections are in no way are ESTABLISHED in the very beginning. They're NEW (in fact RELATED should work as well, but you say it doesn't).

I did try NEW as well, and although adding NEW to the list does indeed work, I was worried about security, are there any security implications with that?

Surely it will since if you would use sshd with port in 50000:60000 range, it will be open cause your firewall doesn't know which application would handle traffic it receives on. But that's nasty FTP proto, alas. If you're assured nothing but FTP daemon would ever listen on those ports, you're safe. P. S. You can try also direct specifying ftp-helper -A INPUT -p tcp --dport 50000:60000 -m state --state RELATED -m helper --helper "ftp", but I guess it wouldn't work either, since RELATED used solely didn't.

So I think I found my answer: shorewall.net/FTP.html#Conntrack >> "Because the ftp helper modules must read and modify commands being sent over the command channel, they won't work when the command channel is encrypted through use of TLS/SSL."

@poige, if you amend your initial answer to include your comments above, I will except your answer...

There are changes in kernel >= 4.7 which need some additional changes for this to work: echo "1" > /proc/sys/net/netfilter/nf_conntrack_helper, see this question for details.