• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2081
  • Last Modified:

IPTABLES FTP SSL Configuration

Hi,
Our sysadmin has given up on me so I thought I'd ask here....

We want an implict FTP SSL setup. We have an FTP server running behind an IPTABLES firewall. The FTP server is running implicit FTP SSL/TLS on port 990 - on a Windows 2003 server.

The setup works fine behind the firewall (with passive FTP connections) but as soon as we are on the other side of the firewall, we have problems. The client connects to port 990 ok, sends userid and password and connects fine. Then the client switches to Passive mode (with the right external IP of the firewall) and tries to do a LIST and stops/hangs. i.e.:

Command:      TYPE A
Response:      200 Type set to A
Command:      PASV
Response:      227 Entering Passive Mode (192,168,0,101,7,43)
Command:      LIST
Error:      Could not retrieve directory listing

We had Passive FTP working fine with IPTABLES on port 21, but god knows why, this doesn't work.

Can someone provide command-by-command IPTABLES configs for this? I presume it is possible.

Many thanks
0
ctudorprice
Asked:
ctudorprice
  • 3
  • 3
1 Solution
 
Cyclops3590Commented:
what else changed?
I assume that you use iptables to either allow or port-forward the ports to the right pc.  either way, which ports is your ftp server setup to use for passive ftp.  you need to allow or forward those ports on.

can you give me any clue as to your current iptables rules associated with ftp (sanitized of course)
0
 
ctudorpriceAuthor Commented:
Thanks - I'll give you the points so I can close this.
Basically, all we needed to do was open a port range on the IPTABLES NAT/Firewall and forward them to the FTP server machine and designate a matching and fixed passive FTP port range on the FTP Server. For whatever reason, and I don't much care why now that it's working, the same config we had for port 21 and passive ftp didn't translate/work for port 990 - maybe because the packets are encrypted??? Anyway, dunno.
It works now...
Thanks
0
 
Cyclops3590Commented:
shouldn't really matter as iptables doesn't do packet inspection like some other firewalls do, its purely port based (that i've ever seen anyway)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
ctudorpriceAuthor Commented:
Um, sorry - I should be more grateful. We had actually figured it out and I forgot to delete the question. But you were absolutely right - that was all we needed to do. Open some ports up unconditionally on the IPTABLES and set up the FTP server to use the same ports for Passive FTP.
Thanks.
0
 
ctudorpriceAuthor Commented:
re shouldn't really matter: that's what our sysadmin guy thought too and he couldn't see packets being rejected in the logs when the passive connects weren't working. mystery.
0
 
Cyclops3590Commented:
just in case that arises again, using ethereal on the source and destination you are using can help find which packets are being sent, received, or not received.  That can sometimes help as well in pinpointing the problem
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now