Ftp – ProFTPD and firewall configuration for PassivePorts

ftpportproftpdubuntu-14.04

I use ProFTPD on my server, and when I try to connect to my server with FileZilla or WinSCP, I have this error :

Command: MLSD
Error:   Connection timed out
Error:   Failed to retrieve directory listing

My firewall configuration is (/etc/init.d/firewall) :

#!/bin/sh

sudo iptables -t filter -F
sudo iptables -t filter -X

sudo iptables -t filter -P INPUT DROP
sudo iptables -t filter -P FORWARD DROP
sudo iptables -t filter -P OUTPUT DROP

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t filter -A INPUT -i lo -j ACCEPT
sudo iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (Ping)
sudo iptables -t filter -A INPUT -p icmp -j ACCEPT
sudo iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# SSH
sudo iptables -t filter -A INPUT -p tcp --dport 3636 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 3636 -j ACCEPT
sudo iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# DNS
sudo iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

# HTTP
sudo iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT

# FTP
sudo iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
sudo iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT

# Mail SMTP
sudo iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

# Mail POP3
sudo iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

# Mail IMAP
sudo iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# NTP
sudo iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

Have you a solution please ? Thanks.

Best Answer

Yout packet filter configuration is a mess. Basically, you should set the OUTPUT chain to pass everything (unless you want to filter outgoing traffic initiated from your host) setting it's policy to PASS, and then filter incoming connections using only the INPUT chain (keepeing in mind that you already added the established rule, allowing what you need. This way your host will be able to communicate with the outer world whatever it decides, and outer world will be able to communicate with the ports you allow in the INPUT. The only exception will be the UDP rules, which you will need to allow the incoming part for.

As about passive/active FTP mode, in order to allow DATA traffic to pass, you should allow in the INPUT chains the PassivePort range from the proftpd.conf (this way the passive ftp will work) and active ftp will work just fine using the OUTPUT pass policy.

Related Solutions

Linux – Can’t access oracle(@1521) and http(8080) even with firewall stopped

netstat -lnt | grep 8080

tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN

netstat -lnt | grep 1521

tcp 0 0 127.0.0.1:1521 0.0.0.0:* LISTEN

netstat -lnt | grep 9080

tcp 0 0 0.0.0.0:9080 0.0.0.0:* LISTEN

Well, perhaps I wasn't clear: but oracle(1521) and (jboss+tomcat)8080 are working, but only work accessible through localhost.

That is your answer: ports 1521 and 9080 are only listening on the IP address 127.0.0.1 (localhost). No firewall is involved.

You need to change the config of those services to listen on all IP addresses of the server. I don't know how to do that for Oracle.

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Best Answer

Related Solutions

Linux – Can’t access oracle(@1521) and http(8080) even with firewall stopped

Iptables – ftp tls firewalled :(

Related Topic