# ftp active/passive + iptables firewall (the old/new story)

## ddaas

I thought everything was clear regarding active and passive ftp.

But...

On my server, there are cca 200 accounts. Ftp-Server is PureFTP. Iptables has the DROP Policy.

Firewall rules regarding FTP are: 

```
    

##ALLOW inbout TCP connections

###FTP

iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED  -j ACCEPT

iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

#active

iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

#pasive

iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT

```

When the firewall is stopped everyone cound connect to the ftp server (most of them both passive and active).

When I start the firewall, some users can connect and other can't. Those that can't have tried both passive and active with a lot of clients (TotalCommander, IE Browser, etc). The result is the same: from the client side authentication is done, but it get stuck at the list command.

From the server side here is the sniffed traffic:

 *Quote:*   

> 
> 
> 18:09:07.928076 IP X.X.224.58.2941 > Y.Y.112.116.21: S 3038002036:3038002036(0) win 16384 <mss 1460,nop,nop,sackOK>
> 
> 18:09:07.928156 IP Y.Y.112.116.21 > X.X.224.58.2941: S 3102450479:3102450479(0) ack 3038002037 win 5840 <mss 1460,nop,nop,sackOK>
> ...

 

The logs from fure-ftp in debugging mode:

```
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [INFO] New connection from X.X.224.58

Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220---------- Welcome to Pure-FTPd [TLS] ----------

Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-You are user number 2 of 50 allowed.

Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-Local time is now 18:09. Server port: 21.

Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-This is a private system - No anonymous login

Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-IPv6 connections are also welcome on this server.

Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220 You will be disconnected after 15 minutes of inactivity.

Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] Command [user] [useruser]

Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 331 User useruser OK. Password required

Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] Command [pass] [<*>]

Mar 23 18:09:08 host1 pure-ftpd: (?@X.X.224.58) [INFO] useruser is now logged in

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 230-User useruser has group access to:  useruser

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 230 OK. Current restricted directory is /

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [pwd] []

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 257 "/" is your current location

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [type] [A]

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 200 TYPE is now ASCII

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [cwd] [/]

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 250 OK. Current directory is /

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [pasv] []

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 227 Entering Passive Mode (Y,25,112,116,22,157)

Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [list] [-al]

```

Thanks a lot for your help.

I really don't know what else to do...

----------

## Jerem

Try : 

```
modprobe ip_conntrack_ftp
```

----------

## urcindalo

 *ddaas wrote:*   

> When the firewall is stopped everyone cound connect to the ftp server (most of them both passive and active).
> 
> When I start the firewall, some users can connect and other can't. Those that can't have tried both passive and active with a lot of clients (TotalCommander, IE Browser, etc). The result is the same: from the client side authentication is done, but it get stuck at the list command.

 

I have exactly the same problem, except I'm the only user in my server: if iptables is stopped, no problem. If started, no directory listing.

My ftp iptables rules are exactly like yours:

```
##ALLOW inbout TCP connections

###FTP

-A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED  -j ACCEPT

-A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

#active

-A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

#pasive

-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
```

And this is the output of "iptables -L -n":

```
# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

*raw

:PREROUTING ACCEPT [46975:14020864]

:OUTPUT ACCEPT [39597:4677724]

COMMIT

# Completed on Wed Mar 22 22:31:27 2006

# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

*nat

:PREROUTING ACCEPT [1634:298393]

:POSTROUTING ACCEPT [593:47528]

:OUTPUT ACCEPT [593:47528]

COMMIT

# Completed on Wed Mar 22 22:31:27 2006

# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

*mangle

:PREROUTING ACCEPT [46975:14020864]

:INPUT ACCEPT [46658:13963678]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [39597:4677724]

:POSTROUTING ACCEPT [39812:4711878]

COMMIT

*filter

:INPUT ACCEPT [5:5903]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1023:595387635]

# accept all from localhost

-A INPUT -s 127.0.0.1 -j ACCEPT

# para VMware red local

-A INPUT -s 192.168.123.128/25 -j ACCEPT

-A OUTPUT -s 192.168.123.128/25 -j ACCEPT

-A INPUT -s 192.168.67.128/25 -j ACCEPT

-A OUTPUT -s 192.168.67.128/25 -j ACCEPT

# accept all previously established connections

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

###FTP

-A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED  -j ACCEPT

-A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

#active

-A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

#pasive

-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT

# Windows / Samba

-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

# VNC

-A INPUT -p tcp -m state --state NEW -m tcp --dport 1417:1420 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5902 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 5900:5902 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5800:5802 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 5800:5802 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5500:5502 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 5500:5502 -j ACCEPT

# reject everything else

-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

# Completed on Wed Mar 22 22:31:27 2006
```

The wierd thing is everything was working OK up until a month or so, but I've changed nothing in my iptables rules.

Any clue? Maybe a kernel thing? I update my kernel by issuing a "make oldconfig" over the previous .config file. This is my current .config file FTP config:

```
/usr/src/linux $ cat .config | grep FTP

CONFIG_NF_CONNTRACK_FTP=m

# CONFIG_NF_CONNTRACK_TFTP is not set

CONFIG_NF_NAT_FTP=m

# CONFIG_NF_NAT_TFTP is not set
```

Thanks in advance.

----------

## mudrii

Problem is not only in your firewall is in your pure-ftp configuration.

As I recall for example to use passive ftp you should specify exact ports range and if you are behind firewall not iptables but adsl cable modem you should forward the port and use -N switch for NAT compatibility

if it is you first ftp set read 

http://download.pureftpd.org/pub/pure-ftpd/doc/README

----------

## urcindalo

Well, I solved the problem, or at least I'm able to connect again to my ftp server.

Firstly, I noticed a few of the kernel options that are recommended to be ON when configuring the network stuff were OFF (maybe due to the "make oldconfig" applied from 2.6.19-rX to 2.6.20-rX).

Secondly, I slightly changed my ftp rules in /etc/iptables.conf from what appears in my previous message in this thread to this:

```
###FTP

-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21  -j ACCEPT

-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 21 -j ACCEPT

#active

-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 20 -j ACCEPT

-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --sport 20 -j ACCEPT

#pasive

-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 1024: --dport 1024: -j ACCEPT

-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 1024: --dport 1024: -j ACCEPT
```

After all this I can connect using passive mode from a Mac OS X ftp client to my Gentoo ftp server  :Wink: 

In case anyone in interested, here is the IP config in my running kernel:

```
CONFIG_SYSVIPC=y

# CONFIG_IPC_NS is not set

CONFIG_SYSVIPC_COMPAT=y

# CONFIG_IP_MULTICAST is not set

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_ASK_IP_FIB_HASH=y

# CONFIG_IP_FIB_TRIE is not set

CONFIG_IP_FIB_HASH=y

CONFIG_IP_MULTIPLE_TABLES=y

CONFIG_IP_ROUTE_MULTIPATH=y

# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set

CONFIG_IP_ROUTE_VERBOSE=y

# CONFIG_IP_PNP is not set

CONFIG_NET_IPIP=m

# CONFIG_NET_IPGRE is not set

CONFIG_INET_IPCOMP=y

# IP: Virtual Server Configuration

# CONFIG_IP_VS is not set

CONFIG_IPV6=y

# CONFIG_IPV6_PRIVACY is not set

# CONFIG_IPV6_ROUTER_PREF is not set

CONFIG_INET6_IPCOMP=y

# CONFIG_IPV6_MIP6 is not set

CONFIG_IPV6_SIT=y

CONFIG_IPV6_TUNNEL=y

CONFIG_IPV6_MULTIPLE_TABLES=y

# CONFIG_IPV6_SUBTREES is not set

# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set

# CONFIG_NF_CONNTRACK_SIP is not set

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m

# IP: Netfilter Configuration

CONFIG_NF_CONNTRACK_IPV4=m

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_IPRANGE=y

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_RECENT=y

CONFIG_IP_NF_MATCH_ECN=y

CONFIG_IP_NF_MATCH_AH=y

CONFIG_IP_NF_MATCH_TTL=y

CONFIG_IP_NF_MATCH_OWNER=y

CONFIG_IP_NF_MATCH_ADDRTYPE=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

CONFIG_IP_NF_TARGET_ULOG=y

CONFIG_IP_NF_TARGET_TCPMSS=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_SAME=m

# CONFIG_NF_NAT_SIP is not set

CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_TARGET_TOS=y

CONFIG_IP_NF_TARGET_ECN=y

CONFIG_IP_NF_TARGET_TTL=y

CONFIG_IP_NF_RAW=y

CONFIG_IP_NF_ARPTABLES=y

CONFIG_IP_NF_ARPFILTER=y

CONFIG_IP_NF_ARP_MANGLE=y

# IPv6: Netfilter Configuration (EXPERIMENTAL)

CONFIG_NF_CONNTRACK_IPV6=m

# CONFIG_IP6_NF_QUEUE is not set

CONFIG_IP6_NF_IPTABLES=y

CONFIG_IP6_NF_MATCH_RT=m

CONFIG_IP6_NF_MATCH_OPTS=m

CONFIG_IP6_NF_MATCH_FRAG=m

CONFIG_IP6_NF_MATCH_HL=m

CONFIG_IP6_NF_MATCH_OWNER=m

CONFIG_IP6_NF_MATCH_IPV6HEADER=m

CONFIG_IP6_NF_MATCH_AH=m

CONFIG_IP6_NF_MATCH_EUI64=m

CONFIG_IP6_NF_FILTER=m

CONFIG_IP6_NF_TARGET_LOG=m

CONFIG_IP6_NF_TARGET_REJECT=m

CONFIG_IP6_NF_MANGLE=m

CONFIG_IP6_NF_TARGET_HL=m

CONFIG_IP6_NF_RAW=m

CONFIG_IP_DCCP=m

CONFIG_IP_DCCP_ACKVEC=y

CONFIG_IP_DCCP_CCID2=m

# CONFIG_IP_DCCP_CCID2_DEBUG is not set

CONFIG_IP_DCCP_CCID3=m

CONFIG_IP_DCCP_TFRC_LIB=m

# CONFIG_IP_DCCP_CCID3_DEBUG is not set

CONFIG_IP_DCCP_CCID3_RTO=100

# CONFIG_IP_DCCP_DEBUG is not set

CONFIG_IP_SCTP=m

# TIPC Configuration (EXPERIMENTAL)

# CONFIG_TIPC is not set

CONFIG_IPX=m

CONFIG_IPX_INTERN=y

CONFIG_IPDDP=m

CONFIG_IPDDP_ENCAP=y

CONFIG_IPDDP_DECAP=y

CONFIG_IEEE80211_CRYPT_TKIP=m

# CONFIG_SCSI_IPS is not set

CONFIG_SCSI_IZIP_EPP16=y

# CONFIG_SCSI_IZIP_SLOW_CTR is not set

# CONFIG_SCSI_IPR is not set

CONFIG_MD_MULTIPATH=m

# CONFIG_DM_MULTIPATH is not set

CONFIG_IEEE1394_CONFIG_ROM_IP1394=y

# CONFIG_NET_TULIP is not set

CONFIG_STRIP=m

# CONFIG_IPW2100 is not set

# CONFIG_IPW2200 is not set

# CONFIG_HIPPI is not set

# CONFIG_PLIP is not set

# CONFIG_SLIP is not set

# CONFIG_SERIO_PCIPS2 is not set

# CONFIG_TIPAR is not set

# IPMI

# CONFIG_IPMI_HANDLER is not set

# CONFIG_I2C_DEBUG_CHIP is not set

# CONFIG_HWMON_DEBUG_CHIP is not set

CONFIG_VIDEO_HELPER_CHIPS_AUTO=y

# CONFIG_VIDEO_OVCAMCHIP is not set

# CONFIG_USB_AIPTEK is not set

# CONFIG_EXT2_FS_XIP is not set

CONFIG_CRYPTO_BLKCIPHER=y
```

----------

## sschlueter

This configuration is not secure. You should either use the ftp conntrack/nat module or use a reverse ftp proxy.

----------

## urcindalo

I know   :Smile: 

But it is when combined with the excellent  blacklist script to get rid of brute force attempts to enter my box (ssh, ftp...). Every week the script bans like a dozen or so IP addresses  :Shocked: 

----------

