Ftp – How to use nftables with passive FTP

ftplinux-networkingnftablespassive

Below are rules for allowing passive FTP that are not working.

/proc/sys/net/netfilter/nf_conntrack_helper is set to 1

The nf_conntrack_ftp module is loaded.

What could be blocking it? Do I really need the counter? Do I really need the tcp dport 1024-65535 line if I already am allowing established related connections with the ct state established,related accept line?

table inet myhelpers {
        ct helper ftp-standard {
                type "ftp" protocol tcp
        }
    chain input {
                type filter hook prerouting priority 0;
                tcp dport 21 ct helper set "ftp-standard"
        }
}
table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;


                ct state established,related accept

                # passive FTP
                tcp dport 21 ct state established,new counter accept
                tcp dport 20 ct state established,related counter accept
                tcp dport 1024-65535 ct state established,related counter accept

        }
}

Best Answer

Thanks for your answer, A.B. You are right. There is something else. I was testing FTP with TLS and in TLS, the control connection is encrypted, so the firewall can't know what passive port the server is offering up. I have to specify that. Once I did that, it started working.

Related Solutions

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Centos – FTP not showing files or directories

Per the comments, disabling SELinux seems to have solved the problem. I would suggest to now:

Turn it back on with setenforce 1.
Use ls -Z /path/to/ftp/home/folder to check the context of the directory you're trying to FTP into, and see if the context is "public_content_t"
If not, use restorecon(8) to fix incorrect context, e.g. restorecon -R /path/to/ftp/home/folder

Best Answer

Related Solutions

Iptables – ftp tls firewalled :(

Centos – FTP not showing files or directories

Related Topic