I'm running pure-ftpd with TLS support, everything works fine until enabling iptables. With working iptables I can connect to ftp but can't get file list.
The ip_conntrack_ftp
module is enabled, and this is my rules set for ftps:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 989 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 990 -j ACCEPT
Best Answer
FTP in passive mode involves the client making a second data connection to the server on a port number indicated in the control connection on port 21. The conntrack module sniffs the control connection and detects the port number of the data connection, and then treats the incoming data connection as RELATED, which would usually be accepted by this rule:
When the control connection is encrypted however, the conntrack module can't detect the port number and so the incoming connection is not accepted. The solution is to configure your FTP server with a range of ports to use in passive mode (
PassivePortRange
as @cyberx86 mentioned) and configure the firewall to accept all incoming connections to that range, for example: