There’s lots of advice on the net about how to setup a server with iptables
to allow passive mode FTP. Below is the approach that we’ve found to be most
effective.
Start by configuring your FTP daemon to use a fixed range of ports. We use 41361 to 65534 which is the IANA registered ephemeral port range. The exact config depends on what FTP software you’re using:
vsftpd
Edit /etc/vsftpd/vsftpd.conf and add the following lines:
Edit /etc/proftpd.conf and add to the Global section:
Next you’ll need to configure the ip_conntrack_ftp iptables module to load. On Redhat/CentOS just edit /etc/sysconfig/iptables-config and add “ip_conntrack_ftp” to the IPTABLES_MODULES like this:
One extra note: If your server is NATed behind a physical firewall then you’ll probable need to load the “ip_nat_ftp” iptables module.
Start by configuring your FTP daemon to use a fixed range of ports. We use 41361 to 65534 which is the IANA registered ephemeral port range. The exact config depends on what FTP software you’re using:
vsftpd
Edit /etc/vsftpd/vsftpd.conf and add the following lines:
pasv_min_port=49152 pasv_max_port=65534proftpd
Edit /etc/proftpd.conf and add to the Global section:
</Global> ...... PassivePorts 49152 65534 </Global>Now restart your FTP service so the changes take effect.
Next you’ll need to configure the ip_conntrack_ftp iptables module to load. On Redhat/CentOS just edit /etc/sysconfig/iptables-config and add “ip_conntrack_ftp” to the IPTABLES_MODULES like this:
IPTABLES_MODULES="ip_conntrack_ftp"Now restart the iptables service:
/sbin/service iptables restartYou can verify that the correct port range has been registered with lsmod like this:
lsmod | grep conntrack_ftpand you’ll get something like this:
ip_conntrack_ftp 41361 0 ip_conntrack 91621 2 ip_conntrack_ftp,xt_stateAnd that’s all it takes to get passive mode ftp working behind iptables.
One extra note: If your server is NATed behind a physical firewall then you’ll probable need to load the “ip_nat_ftp” iptables module.
No comments:
Post a Comment