Problem with ftp server on CentOS 6.9

Daniele Brunengo
Daniele Brunengo used Ask the Experts™
on
Hello, so I've been trying to fiddle with iptables for my web server. Everything is working except for passive ftp and I can't seem to get it right.

Here are my iptables rules:

-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT 
-A INPUT -j DROP 
COMMIT

Open in new window


I have the line IPTABLES_MODULES="nf_conntrack_ftp" in iptables-config

Anyway, all ftp users aren't able to connect (they are if I disable iptables).
To put it better, they do connect but then they can never reach their root directory and they get an error saying the / directory couldn't be found.

So there must be something wrong in my IPTABLES, but I can't find it for the life of me. I've followed every guide I found and I can't find my mistake.

Can you guys lend a hand?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
These rule are not helpful...
-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Open in new window

The 2nd rule handles those cases.
All rules having NEW,ESTABLISHED .... remove the ESTABLISHED.
Also better try to consistently use -m state or -m conntrack.

-A INPUT -i lo -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT 
-A INPUT -j DROP 
COMMIT

Open in new window

This should be sufficient for accessing the FTP server ON the server having the iptables rules.
If you need to access a system behind this system then you need to add the rules to FORWARD...

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT 
-A FORWARD -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT 
-A INPUT -j DROP 
COMMIT

Open in new window


What are the defaults for INPUT,OUTPUT,FORWARD?
Daniele BrunengoIT Consultant, Web Designer

Author

Commented:
What you're seeing up there is basically the full iptables rules. It's a web server, so I don't need forward rules. I don't filter output right now.
Daniele BrunengoIT Consultant, Web Designer

Author

Commented:
The rules you wrote are basically the ones I started with, but they don't work. Passive FTP doesn't work at all with those rules.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

IT Consultant, Web Designer
Commented:
Ok, I solved it in a non-ideal way. It looks like the nf_conntrack_ftp module isn't working correctly.

So I changed the vsftpd.conf file adding these:

pasv_enable=YES
pasv_min_port=20137
pasv_max_port=20146
pasv_address=xxx.xxx.xxx.xxx

Then I opened those 10 ports on iptables, and now it works. I don't like it, but it works.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Ideally you wouldn't use FTP at all. It is a protocol from the 1970's with no security.
and passwords traveling en-clair.

Try to move to the scp / sftp protocols that are using ssh ( only need port 22).
At least everything is secure then.

FTP is one of those protocols (like telnet) that should be burried.
Daniele BrunengoIT Consultant, Web Designer

Author

Commented:
Yes I know, but is it possible to use SSH and restrict access to the user's home folder?
I thought not?

Obviously I use SSH when I work on it, but this is a hosting server, I've got a lot of websites on it and some users (not many) require ftp access to the server.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial