# [Solved] iptables and proftpd

## silwerspawn

Okay i got my proftpd to work so when i connect from the server to localhost i can login and all.

but when i try to login from anyother computer is just says connected and dont get any further. 

my proftpd conf if:

```

# This sample configuration file illustrates configuring two

# anonymous directories, and a guest (same thing as anonymous but

# requires a valid password to login)

ServerName                      "ProFTPD Anonymous Server"

ServerType                      standalone

# Port 21 is the standard FTP port.

Port                            21

# If you don't want normal users logging in at all, uncomment this

# next section

#<Limit LOGIN>

#  DenyAll

#</Limit>

# Set the user and group that the server normally runs at.

User                            proftpd

Group                           proftpd

# To prevent DoS attacks, set the maximum number of child processes

# to 30.  If you need to allow more than 30 concurrent connections

# at once, simply increase this value.  Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd)

MaxInstances                    30

# Set the maximum number of seconds a data connection is allowed

# to "stall" before being aborted.

TimeoutStalled                  300

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.

DisplayLogin                    welcome.msg

DisplayChdir                    .message

# Our "basic" anonymous configuration, including a single

<Anonymous ~unigrp4>

User                    unigrp4

Group                   ftp

AnonRequirePassword     on

MaxClients              1

DisplayLogin            welcome.msg

DisplayChdir            .message

<Limit WRITE>

Deny from all

</Limit>

<Directory incoming>

<Limit READ WRITE DIRS STOR CWD CDUP>

AllowAll

</Limit>

</Directory>

</Anonymous>

```

and my iptable-save looks like this

```

# Generated by iptables-save v1.3.8 on Wed Feb 20 01:13:21 2008

*nat

:PREROUTING ACCEPT [19011:1793360]

:POSTROUTING ACCEPT [53:6375]

:OUTPUT ACCEPT [339:25933]

-A PREROUTING -i eth2 -p tcp -m tcp --dport 21 -j DNAT --to-destination 127.0.0.1

-A POSTROUTING -o eth2 -j MASQUERADE

COMMIT

# Completed on Wed Feb 20 01:13:21 2008

# Generated by iptables-save v1.3.8 on Wed Feb 20 01:13:21 2008

*mangle

:PREROUTING ACCEPT [702416:217374648]

:INPUT ACCEPT [229717:100808836]

:FORWARD ACCEPT [472553:116548372]

:OUTPUT ACCEPT [358571:69280103]

:POSTROUTING ACCEPT [830294:185558514]

COMMIT

# Completed on Wed Feb 20 01:13:21 2008

# Generated by iptables-save v1.3.8 on Wed Feb 20 01:13:21 2008

*filter

:INPUT ACCEPT [623709:860864191]

:FORWARD DROP [2872:943649]

:OUTPUT ACCEPT [1316482:256808218]

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth1 -j ACCEPT

-A INPUT -i ! eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -i ! eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i ! eth1 -p tcp -m tcp --dport 0:1023 -j DROP

-A INPUT -i ! eth1 -p udp -m udp --dport 0:1023 -j DROP

-A INPUT -i eth2 -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 49152:65534 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 49152:65534 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -j DROP

-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -j ACCEPT

-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth2 -j ACCEPT

COMMIT

# Completed on Wed Feb 20 01:13:21 2008

```

and i dont get anyfurther than this with the ftp from outside:

```

[00:56:06] Resolving host name "80.162.69.xxx"

[00:56:06] Connecting to 80.162.69.xxx Port: 21

[00:56:06] Connected to 80.162.69.xxx.

```

i have used the guide at gentoo.org to setup the iptables

http://www.gentoo.org/doc/en/home-router-howto.xml

i hope some one can help me out hereLast edited by silwerspawn on Fri Feb 22, 2008 9:06 am; edited 1 time in total

----------

## leosgb

Did you try to stop your iptables and see if you can access your ftp?

----------

## schachti

If you use active ftp, you also have to open port 20. If you use passive ftp, you have to allow all related/established connections. This can be done using the state module of iptables, something like

```

iptables ... -m state --state established,related -j ACCEPT

```

----------

## silwerspawn

I will check it out today, and return with a reply

thanks in advance.

----------

## silwerspawn

didnt work out now i get tha error 500 that there is no service on the port :S

any other idea?

----------

## achlice

1:    make sure you can connect  ftp service from localhost,  (ftp 127.0.0.1)  that means  nothing wrong with  ftp  service

 2: stop your iptables ,and after  that connect  ftp service from other  computer.   keep the network is all right.

----------

## silwerspawn

okay i have checked up upon it. i can connect from localhost. and it doesnt matter if i deactivate the iptables. so it propperly some configuration in the proftpd.

----------

## i0

Hey

Easiest way to make sure is it or is it not iptables's fault is to do as root:

iptables -D PREROUTING -i eth2 -p tcp -m tcp --dport 21 -j DNAT --to-destination 127.0.0.1 

(why is this rule there anyway? you dont need to nat ftp traffic to same machine)

(You need to delete this rule first because PREROUTING chain is before INPUT chain)

iptables -I INPUT -p tcp --dport 21 -j ACCEPT

That will open tcp port 21 on every interface you have on machine, and it inserts this rule to the top of INPUT chain so it will override any rule for port 21 that is loaded earlier.

Then try to connect, you should at least get to login sequence.

Do not expect to see directory listing, as this requires to have a frewall to accept established and related packets and nf_conntrack_ftp (or if you use a bit older vers of iptables - ip_conntrack_ftp) to be loaded if you use passive mode in ftp client.

Anyway, if you see login prompt then it is firewall config, if not - proftpd.

After you are done do:

iptables -D INPUT -p tcp --dport 21 -j ACCEPT

iptables -A PREROUTING -i eth2 -p tcp -m tcp --dport 21 -j DNAT --to-destination 127.0.0.1 

This will delete the rule you added first, and restore your old nat rule.

good luck

----------

## silwerspawn

Nice that got things running  :Very Happy: 

just to list my accomplishment. the eth1 is the local lan and the eth2 is the internet connection.

please comment on anything you find irresponsible or something that might get me in some trouble.

Thanks in advance.  

my /etc/proftpd/proftpd.conf

```
# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use.  It establishes a single server

# and a single anonymous login.  It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD Default Installation"

ServerType                      standalone

DefaultServer                   on

# Port 21 is the standard FTP port.

Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

# To prevent DoS attacks, set the maximum number of child processes

# to 30.  If you need to allow more than 30 concurrent connections

# at once, simply increase this value.  Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd).

MaxInstances                    30

# Set the user and group under which the server will run.

User                            nobody

Group                           nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home

# directory, uncomment this line.

DefaultRoot ~ ftpusers

# Normally, we want files to be overwriteable.

<Directory />

  AllowOverwrite                on

</Directory>

<Global>

 RootLogin off

 RequireValidShell on

 # Restrict the range of ports from which the server will select when sent the

 # PASV command from a client. Use IANA-registered ephemeral port range of

 # 49152-65534

 PassivePorts 49152 65534

</Global>

# Logging formats

LogFormat default "%h %l %u %t \"%r\" %s %b"

LogFormat auth "%v [%P] %h %t \"%r\" %s"

LogFormat write "%h %l %u %t \"%r\" %s %b"

# activate logging

# every login

ExtendedLog /var/log/ftp_auth.log AUTH auth

# file/dir access

ExtendedLog /var/log/ftp_access.log WRITE,READ write

# forr paranoid (big logfiles!)

#ExtendedLog /var/log/ftp_paranoid.log ALL default

<Anonymous ~ftp>

User                            ftp

Group                           ftp

# We want clients to be able to login with "anonymous" as well as "ftp"

UserAlias                       anonymous ftp

# Limit the maximum number of anonymous logins

MaxClients                      10

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.

DisplayLogin                    welcome.msg

DisplayChdir            .message

# Limit WRITE everywhere in the anonymous chroot

<Limit WRITE>

  DenyAll

</Limit>

</Anonymous>

```

and the iptables-save output

```

# Generated by iptables-save v1.3.8 on Fri Feb 22 00:44:06 2008

*nat

:PREROUTING ACCEPT [154:10730]

:POSTROUTING ACCEPT [5:330]

:OUTPUT ACCEPT [9:599]

-A POSTROUTING -o eth2 -j MASQUERADE

COMMIT

# Completed on Fri Feb 22 00:44:06 2008

# Generated by iptables-save v1.3.8 on Fri Feb 22 00:44:06 2008

*mangle

:PREROUTING ACCEPT [2759:499217]

:INPUT ACCEPT [861:62087]

:FORWARD ACCEPT [1898:437130]

:OUTPUT ACCEPT [1460:173943]

:POSTROUTING ACCEPT [3354:610881]

COMMIT

# Completed on Fri Feb 22 00:44:06 2008

# Generated by iptables-save v1.3.8 on Fri Feb 22 00:44:06 2008

*filter

:INPUT ACCEPT [791:55774]

:FORWARD DROP [4:192]

:OUTPUT ACCEPT [1460:173943]

-A INPUT -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 137:139 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 426 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 49152:65534 -j ACCEPT

-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -j DROP

-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -j ACCEPT

-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth2 -j ACCEPT

COMMIT

# Completed on Fri Feb 22 00:44:06 2008

```

----------

