IPTABLES FTP SSL Configuration

Our sysadmin has given up on me so I thought I'd ask here....

We want an implict FTP SSL setup. We have an FTP server running behind an IPTABLES firewall. The FTP server is running implicit FTP SSL/TLS on port 990 - on a Windows 2003 server.

The setup works fine behind the firewall (with passive FTP connections) but as soon as we are on the other side of the firewall, we have problems. The client connects to port 990 ok, sends userid and password and connects fine. Then the client switches to Passive mode (with the right external IP of the firewall) and tries to do a LIST and stops/hangs. i.e.:

Command:      TYPE A
Response:      200 Type set to A
Command:      PASV
Response:      227 Entering Passive Mode (192,168,0,101,7,43)
Command:      LIST
Error:      Could not retrieve directory listing

We had Passive FTP working fine with IPTABLES on port 21, but god knows why, this doesn't work.

Can someone provide command-by-command IPTABLES configs for this? I presume it is possible.

Many thanks
Who is Participating?
Cyclops3590Connect With a Mentor Commented:
what else changed?
I assume that you use iptables to either allow or port-forward the ports to the right pc.  either way, which ports is your ftp server setup to use for passive ftp.  you need to allow or forward those ports on.

can you give me any clue as to your current iptables rules associated with ftp (sanitized of course)
ctudorpriceAuthor Commented:
Thanks - I'll give you the points so I can close this.
Basically, all we needed to do was open a port range on the IPTABLES NAT/Firewall and forward them to the FTP server machine and designate a matching and fixed passive FTP port range on the FTP Server. For whatever reason, and I don't much care why now that it's working, the same config we had for port 21 and passive ftp didn't translate/work for port 990 - maybe because the packets are encrypted??? Anyway, dunno.
It works now...
shouldn't really matter as iptables doesn't do packet inspection like some other firewalls do, its purely port based (that i've ever seen anyway)
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

ctudorpriceAuthor Commented:
Um, sorry - I should be more grateful. We had actually figured it out and I forgot to delete the question. But you were absolutely right - that was all we needed to do. Open some ports up unconditionally on the IPTABLES and set up the FTP server to use the same ports for Passive FTP.
ctudorpriceAuthor Commented:
re shouldn't really matter: that's what our sysadmin guy thought too and he couldn't see packets being rejected in the logs when the passive connects weren't working. mystery.
just in case that arises again, using ethereal on the source and destination you are using can help find which packets are being sent, received, or not received.  That can sometimes help as well in pinpointing the problem
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.