IPTABLES FTP SSL Configuration

Posted on 2006-06-06
Last Modified: 2010-04-22
Our sysadmin has given up on me so I thought I'd ask here....

We want an implict FTP SSL setup. We have an FTP server running behind an IPTABLES firewall. The FTP server is running implicit FTP SSL/TLS on port 990 - on a Windows 2003 server.

The setup works fine behind the firewall (with passive FTP connections) but as soon as we are on the other side of the firewall, we have problems. The client connects to port 990 ok, sends userid and password and connects fine. Then the client switches to Passive mode (with the right external IP of the firewall) and tries to do a LIST and stops/hangs. i.e.:

Command:      TYPE A
Response:      200 Type set to A
Command:      PASV
Response:      227 Entering Passive Mode (192,168,0,101,7,43)
Command:      LIST
Error:      Could not retrieve directory listing

We had Passive FTP working fine with IPTABLES on port 21, but god knows why, this doesn't work.

Can someone provide command-by-command IPTABLES configs for this? I presume it is possible.

Many thanks
Question by:ctudorprice
    LVL 25

    Accepted Solution

    what else changed?
    I assume that you use iptables to either allow or port-forward the ports to the right pc.  either way, which ports is your ftp server setup to use for passive ftp.  you need to allow or forward those ports on.

    can you give me any clue as to your current iptables rules associated with ftp (sanitized of course)

    Author Comment

    Thanks - I'll give you the points so I can close this.
    Basically, all we needed to do was open a port range on the IPTABLES NAT/Firewall and forward them to the FTP server machine and designate a matching and fixed passive FTP port range on the FTP Server. For whatever reason, and I don't much care why now that it's working, the same config we had for port 21 and passive ftp didn't translate/work for port 990 - maybe because the packets are encrypted??? Anyway, dunno.
    It works now...
    LVL 25

    Expert Comment

    shouldn't really matter as iptables doesn't do packet inspection like some other firewalls do, its purely port based (that i've ever seen anyway)

    Author Comment

    Um, sorry - I should be more grateful. We had actually figured it out and I forgot to delete the question. But you were absolutely right - that was all we needed to do. Open some ports up unconditionally on the IPTABLES and set up the FTP server to use the same ports for Passive FTP.

    Author Comment

    re shouldn't really matter: that's what our sysadmin guy thought too and he couldn't see packets being rejected in the logs when the passive connects weren't working. mystery.
    LVL 25

    Expert Comment

    just in case that arises again, using ethereal on the source and destination you are using can help find which packets are being sent, received, or not received.  That can sometimes help as well in pinpointing the problem

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    ​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now