# [SOLVED] iptables rules for a browsable ftp server

## ferreirafm

I am running a proftpd server with default settings (proftpd.conf.sample) as follow:

```
# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use.  It establishes a single server

# and a single anonymous login.  It assumes that you have a user/group

# "proftpd" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD Default Installation"

ServerType                      standalone

DefaultServer           on

RequireValidShell       off

AuthPAM                 off

AuthPAMConfig           ftp

# Port 21 is the standard FTP port.

Port                            21

# Don't use IPv6 support by default.

UseIPv6                         off

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

# To prevent DoS attacks, set the maximum number of child processes

# to 30.  If you need to allow more than 30 concurrent connections

# at once, simply increase this value.  Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd).

MaxInstances                    30

# Set the user and group under which the server will run.

User                            proftpd

Group                           proftpd

# To cause every FTP user to be "jailed" (chrooted) into their home

# directory, uncomment this line.

#DefaultRoot ~

# Normally, we want files to be overwriteable.

AllowOverwrite          on

# Bar use of SITE CHMOD by default

<Limit SITE_CHMOD>

  DenyAll

</Limit>

# A basic anonymous configuration, no upload directories.  If you do not

# want anonymous users, simply delete this entire <Anonymous> section.

<Anonymous ~ftp>

  User                          ftp

  Group                         ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"

  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins

  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed

  # in each newly chdired directory.

  DisplayLogin          /etc/proftpd/welcome.msg

  DisplayChdir          /etc/proftpd/.message

  # Limit WRITE everywhere in the anonymous chroot

  <Limit WRITE>

    DenyAll

  </Limit>

# Permit uploading and creation of new directories in

# submissions/public

#  <Directory public>

#    <Limit READ>

#      DenyAll

#      IgnoreHidden     on

#    </Limit>

#

#    <Limit STOR MKD RMD XMKD XRMD>

#      AllowAll

#      IgnoreHidden     on

#    </Limit>

#  </Directory>

</Anonymous>

```

However, when I start the iptables, I cant browse the ftp root anymore. My iptables rules are as follow:

```
# Generated by iptables-save v1.4.3.2 on Qua Out 14 16:54:29 BRT 2009

*filter

:INPUT ACCEPT [5:952]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1192099:595387635]

# accept all from localhost

-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# permit people to ssh into this computer

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# permit ftp and web hosting services

-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

#-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

#-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# permit windows file sharing

-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

# permit five ports for bitorrent

-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT

# reject all other packets coming into the computer, even from other

# computers in the local area network

-A INPUT -j DROP

#REJECT --reject-with icmp-port-unreachable

COMMIT

```

What do I have to change on iptables rules so as I can browse directories with a regular navigator?

Thanks in advance,

FredLast edited by ferreirafm on Fri Oct 16, 2009 2:52 pm; edited 1 time in total

----------

## msalerno

http://proftpd.org/docs/howto/NAT.html

Search this forum or the internet for: ip_conntrack_ftp

You should find plenty of examples.

Classic Active vs Passive ftp issues.  I hate FTP!

----------

## ferreirafm

 *msalerno wrote:*   

> http://proftpd.org/docs/howto/NAT.html
> 
> Search this forum or the internet for: ip_conntrack_ftp
> 
> You should find plenty of examples.
> ...

 

I thing that it has noting to do with NAT, my IP is real. As I have said, clients can browser the ftp files with firefox. However, after starting iptables, they can only log on the ftp server with a ftp client, but not browse files with firefox. I seems to be some iptables' rule!

----------

## msalerno

Exactly, check out ip_conntrack_ftp

Try this test with your firewall on:

1. Log in via ftp from the command line and type "ls"

 - Chances are that it will timeout.

2. Log in via ftp from the command line and type in "passv" and then "ls"

 - Chances are that this will work.

I still put my money on FTP active vs FTP passive connection issues caused by a firewall with no conntrack specific for FTP.

----------

## ferreirafm

 *msalerno wrote:*   

> Exactly, check out ip_conntrack_ftp
> 
> Try this test with your firewall on:
> 
> 1. Log in via ftp from the command line and type "ls"
> ...

 

Not ip_conntrack_ftp properly, but yep! you were right! It is necessary to run proftpd on passive mode when behind a firewall. So, I put the following line after the standard ftp port in my proftpd.conf:

```
PassivePorts                    60000 65000
```

and gave the necessary permissions with the iptables rule:

```
# permit passive ftp ports

-A INPUT -p tcp -m state --state NEW -m tcp --dport 60000:65000 -j ACCEPT
```

However, I don't know what kind of vulnerabilities have been added in the process.

----------

## msalerno

It's a matter of who initially opens the additional sockets for the data connections.  You can do active ftp from your server depending on your firewall, if it's iptables, you can use ip_conntrack_ftp.

http://slacksite.com/other/ftp.html

http://rackerhacker.com/2007/07/01/active-ftp-connections-through-iptables/

----------

## ferreirafm

Excellent review!

----------

