# ProFTPd + iptables (again!)

## KaterGonzo

Sorry for my question but I've been searching for some days to resolve my problem. The hints in this forum don't help.

I'm trying to get proftpd working with iptables. If I disable iptables, I can establish a FTP-connection. So the problem depends on the iptables configuration.

I found in the iptables log informations about the destination port so I added these into my iptables config. Without success.

Here the necessary informations about my system:

```
*

*

* Generel

*

*

# uname -a

Linux websrv-gentoo-PD945 2.6.34-gentoo-r6 #7 SMP Mon Dec 13 18:57:54 CET 2010 x86_64 Intel(R) Pentium(R) D CPU 3.40GHz GenuineIntel GNU/Linux

# proftpd --version

ProFTPD Version 1.3.3g

*

*

* ProFTP

*

*

# cat /etc/proftpd/proftpd.conf

ServerName          "Something hiereds"

ServerType          standalone

DefaultServer       on

RequireValidShell   off

AuthPAM             off

AuthPAMConfig       ftp

# Port 21 is the standard FTP port.

Port                            21

# Passive Ports

PassivePorts                  49152 65534

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

MaxInstances                    30

# Set the user and group under which the server will run.

User                            ftp

Group                           ftp

# Normally, we want files to be overwriteable.

<Directory />

  AllowOverwrite                on

</Directory>

# User im Home-Verzeichnis einsperren!

DefaultRoot ~

# --------------------------------------------

# Post-Login, Timeouts

# --------------------------------------------

TimeoutIdle 1200 # Inaktivitaet

TimeoutNoTransfer 3600 # keine Datenuebertragung (Listing, File, ...)

TimeoutStalled 300 # haengende Datenuebertragung

TimeoutSession 7200 # Gesamtdauer einer Session

UseReverseDNS off

*

*

* IPTABLES

*

*

websrv-gentoo-PD945  # iptables -A INPUT -p tcp --destination-port 49152:65534 -j ACCEPT

websrv-gentoo-PD945  # iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

DROP       icmp --  anywhere             anywhere            icmp redirect

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

ACCEPT     tcp  --  anywhere             anywhere            limit: avg 1/sec burst 5 tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/RST

ACCEPT     tcp  --  anywhere             anywhere            limit: avg 1/sec burst 5 tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/FIN

ACCEPT     tcp  --  anywhere             anywhere            limit: avg 1/sec burst 5 tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/SYN

ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED tcp dpt:ssh

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:svn

ACCEPT     udp  --  anywhere             anywhere            udp spt:ntp

ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED tcp spt:ftp-data

ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED tcp spt:ftp

ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED tcp spt:smtp

ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED tcp spt:rsync

LOGDROP    all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:49152:65534

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain LOGDROP (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere            LOG level warning prefix `{fw}'

DROP       all  --  anywhere             anywhere

*

*

* IPTABLES ERROR LOG

*

*

# tail -f /var/log/iptables.log

Feb 18 10:47:36 websrv-gentoo-PD945 kernel: {fw}IN=eth0 OUT= MAC=00:15:58:16:30:f3:64:16:8d:24:fc:21:08:00 SRC=146.52.181.192 DST=212.68.70.7 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=24897 DF PROTO=TCP SPT=53983 DPT=49862 WINDOW=8192 RES=0x00 SYN URGP=0

*

*

* KERNEL (only active modules)

*

*

#

# Core Netfilter Configuration

#

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_NETLINK_QUEUE=y

CONFIG_NETFILTER_NETLINK_LOG=y

CONFIG_NF_CONNTRACK=y

CONFIG_NF_CT_ACCT=y

CONFIG_NF_CONNTRACK_MARK=y

CONFIG_NF_CONNTRACK_EVENTS=y

CONFIG_NF_CONNTRACK_FTP=m

CONFIG_NF_CONNTRACK_TFTP=m

CONFIG_NF_CT_NETLINK=m

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

CONFIG_NETFILTER_XT_MATCH_HELPER=y

CONFIG_NETFILTER_XT_MATCH_IPRANGE=m

CONFIG_NETFILTER_XT_MATCH_LENGTH=y

CONFIG_NETFILTER_XT_MATCH_LIMIT=y

CONFIG_NETFILTER_XT_MATCH_SCTP=y

CONFIG_NETFILTER_XT_MATCH_STATE=y

CONFIG_NETFILTER_XT_MATCH_STRING=y

#

# IP: Netfilter Configuration

#

CONFIG_NF_DEFRAG_IPV4=m

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_CONNTRACK_PROC_COMPAT=y

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

CONFIG_NF_NAT=m

CONFIG_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_NF_NAT_SNMP_BASIC=m

CONFIG_NF_NAT_FTP=m

CONFIG_NF_NAT_TFTP=m

*

*

*

* Emerge --info

*

*

# emerge --info

Portage 2.1.11.9 (default/linux/amd64/10.0/server, gcc-4.4.3, glibc-2.15-r2, 2.6.34-gentoo-r6 x86_64)

=================================================================

System uname: Linux-2.6.34-gentoo-r6-x86_64-Intel-R-_Pentium-R-_D_CPU_3.40GHz-with-gentoo-2.1

Timestamp of tree: Sat, 16 Feb 2013 03:30:01 +0000

app-shells/bash:          4.2_p37

dev-lang/python:          2.4.4-r6::<unknown repository>, 2.5.4-r2, 2.6.8, 2.7.3-r2, 3.1.2-r4, 3.2.3

dev-util/cmake:           2.8.1-r2

dev-util/pkgconfig:       0.27

sys-apps/baselayout:      2.1-r1

sys-apps/openrc:          0.9.8.4

sys-apps/sandbox:         2.5

sys-devel/autoconf:       2.13::<unknown repository>, 2.68

sys-devel/automake:       1.4_p6::<unknown repository>, 1.5::<unknown repository>, 1.6.3::<unknown repository>, 1.7.9-r1::<unknown repository>, 1.8.5-r3::<unknown repository>, 1.9.6-r2::<unknown repository>, 1.10.2, 1.11.6

sys-devel/binutils:       2.22-r1

sys-devel/gcc:            3.4.3-r1::<unknown repository>, 4.1.2, 4.3.4, 4.4.3-r2, 4.5.4

sys-devel/gcc-config:     1.7.3

sys-devel/libtool:        2.4-r1

sys-devel/make:           3.82-r3

sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)

sys-libs/glibc:           2.15-r2

Repositories: gentoo

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=nocona -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=nocona -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FCFLAGS="-O2 -pipe"

FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS="-O2 -pipe"

GENTOO_MIRRORS="ftp://ftp6.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp6.uni-muenster.de/pub/linux/distributions/gentoo http://lug.mtu.edu/gentoo/"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="acl acpi amd64 apache2 berkdb bzip2 cdr cgi cli command-args cracklib crypt ctype curl cxx digest dri dvd filter fortran freetype gd gdbm gif gpm iconv ipv6 jpeg json latin1 lzw mmx modules mudflap multilib mysql ncurses nls nptl openmp pam pcre php png readline session snmp soap sse sse2 ssl tcpd threads tiff truetype truetype2 unicode vhosts xml zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias auth_digest" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

```

Last edited by KaterGonzo on Mon Feb 18, 2013 12:20 pm; edited 1 time in total

----------

## bbgermany

Hi,

since the conn is RELATED to ftp/ftp-data port, you should change the line 

```

ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED 

```

that it will look more like

```

ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED,RELATED

```

bb

----------

## KaterGonzo

I corrected this line...

Thank you very much! Now it work's!

----------

