I have a problem, the firewall for the ftp is stopping passive ftp from working Code: Looking up lyndsayb.co.uk Trying lyndsayb.co.uk:21 Connected to lyndsayb.co.uk:21 220 FTP Server ready. USER z 331 Password required for z. PASS xxxx 230 User z logged in. SYST 215 UNIX Type: L8 TYPE I 200 Type set to I PWD 257 "/" is current directory. Loading directory listing / from server (LC_TIME=en_GB.UTF-8) PASV 227 Entering Passive Mode (78,110,167,28,198,65). <----- ** Connection hangs here ** Ive done alot of research and ive found out that you need to load some modules into iptables, ip_conntrack_ftp / ip_nat_ftp. I have tried modprobe <module> and nothing happens, the depmod file is empty so there are no modules on the server atall. The kernal is a custom ubuntu one, i installed iptables using apt-get, ive contacted my vps host who say that they have enabled the modules for me but still passive ftp still doesnt work. Is there any way i can diagnose this further? I dont know a way to check what modules are loaded, or how to check the logs to see what is going on. Thanks Ryan
Code: ryanmt@vps:/etc/init.d$ sudo iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere 127.0.0.0/8 ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere DROP 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED DROP 0 -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT 0 -- anywhere anywhere Chain PAROLE (11 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:www PAROLE tcp -- anywhere anywhere tcp dpt:81 PAROLE tcp -- anywhere anywhere tcp dpt:pop3 PAROLE tcp -- anywhere anywhere tcp dpt:imap2 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:webmin PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT udp -- anywhere anywhere udp dpt:domain DROP icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain PUB_OUT (4 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere if thats any use
Ive been messing with this further, pretty much gave up on the ip_conntrack modules and decided to open some ports up... i didnt want to open a wide range so picked a range and enabled it in the /etc/proftpd.conf file then added the rule in the firewall setup on ispconfig I restarted both proftpd and the firewall still no joy and i dont understand why, should be simple port forwarding to do it this way. I also experimented with the MasqueradeAddress option in the conf file and it made no difference. When connecting via gFTP with passive enabled it stalls on the following PASV 227 Entering Passive Mode (78,110,167,28,237,66). The first 4 numbers are the IP, the last to are the port. 237x256+66 means its trying to use 59970, why isnt it using the ports i specified!
no errors in /var/log/proftpd/proftpd.log Code: ryanmt@vps:/var/log$ cat /etc/proftpd.conf # # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file. # To really apply changes reload proftpd after modifications. # # Includes DSO modules Include /etc/proftpd/modules.conf # Set off to disable IPv6 support which is annoying on IPv4 only boxes. UseIPv6 off ServerName "Citroenbob" ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer on ShowSymlinks on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayFirstChdir .message ListOptions "-l" DenyFilter \*.*/ UseReverseDNS off # Use this to jail all users in their homes # DefaultRoot ~ <Global> DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready." </Global> # Users require a valid shell listed in /etc/shells to login. # Use this directive to release that constrain. # RequireValidShell off # Port 21 is the standard FTP port. Port 21 # In some cases you have to specify passive ports range to by-pass # firewall limitations. Ephemeral ports can be used for that, but # feel free to use a more narrow range. PassivePorts 48152 49192 # If your host was NATted, this option is useful in order to # allow passive tranfers to work. You have to use your public # address and opening the passive ports used on your firewall as well. # MasqueradeAddress 78.110.167.28 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User proftpd Group nogroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # Normally, we want files to be overwriteable. AllowOverwrite on # Uncomment this if you are using NIS or LDAP to retrieve passwords: # PersistentPasswd off # Be warned: use of this directive impacts CPU average load! # Uncomment this if you like to see progress and transfer rate with ftpwho # in downloads. That is not needed for uploads rates. # # UseSendFile off # Choose a SQL backend among MySQL or PostgreSQL. # Both modules are loaded in default configuration, so you have to specify the backend # or comment out the unused module in /etc/proftpd/modules.conf. # Use 'mysql' or 'postgres' as possible values. # #<IfModule mod_sql.c> # SQLBackend mysql #</IfModule> TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log DebugLevel 5 <IfModule mod_tls.c> TLSEngine off </IfModule> <IfModule mod_quota.c> QuotaEngine on </IfModule> <IfModule mod_ratio.c> Ratios on </IfModule> # Delay engine reduces impact of the so-called Timing Attack described in # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 # It is on by default. <IfModule mod_delay.c> DelayEngine on </IfModule> <IfModule mod_ctrls.c> ControlsEngine on ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock </IfModule> <IfModule mod_ctrls_admin.c> AdminControlsEngine on </IfModule> # A basic anonymous configuration, no upload directories. # <Anonymous ~ftp> # User ftp # Group nogroup # # We want clients to be able to login with "anonymous" as well as "ftp" # UserAlias anonymous ftp # # Cosmetic changes, all files belongs to ftp user # DirFakeUser on ftp # DirFakeGroup on ftp # # RequireValidShell off # # # Limit the maximum number of anonymous logins # MaxClients 10 # # # We want 'welcome.msg' displayed at login, and '.message' displayed # # in each newly chdired directory. # DisplayLogin welcome.msg # DisplayFirstChdir .message # # # Limit WRITE everywhere in the anonymous chroot # <Directory *> # <Limit WRITE> # DenyAll # </Limit> # </Directory> # # # Uncomment this if you're brave. # # <Directory incoming> # # # Umask 022 is a good standard umask to prevent new files and dirs # # # (second parm) from being group and world writable. # # Umask 022 022 # # <Limit READ WRITE> # # DenyAll # # </Limit> # # <Limit STOR> # # AllowAll # # </Limit> # # </Directory> # # </Anonymous> Include /etc/proftpd_ispconfig.conf
Have you check permissions on the directory?? I don't know the exact setup you have but usually this is caused by no proper permissions either at folder level in the server or more likely in the ftp server settings at user assignment level. Are there files in the directory? If you put one in can you read it at all or are you being denied from an empty directory? Some ftp connections will find a random port when connecting Can you try to ressign the FTP port? Change it to 27 and see what happens. Have you tried an Active connection as well as a passive connection?
Thanks for the reply, Active works fine.. the ftp server is functioning as it should and i can use it provided i set my client to use active transfers. If i disable the firewall in ISPConfig then passive works fine also This is only a passive transfer/iptables issue.
Code: ryanmt@vps:~$ cat /etc/Bastille/bastille-firewall.cfg # # /etc/bastille-firewall.cfg # # Configuration file for both 2.2/ipchains and 2.4/netfilter scripts # # $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-firewall.cfg,v $ # Modified by: $Author: peterw $ # $Date: 2002/01/04 13:34:18 $ # $Revision: 1.7 $ # # Copyright (C) 1999-2001 Peter Watkins # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Thanks to David Ranch, Brad A, Don G, and others for their suggestions # the configuration values should be whitespace-delimited lists of # appropriate values, e.g. # TCP_PUBLIC_SERVICES="80 smtp ssh" # lists Web (port 80), SMTP mail, and Secure Shell ports # # This script is suitable for workstations or simple NAT firewalls; # you may want to add more "output" restrictions for serious servers # 0) DNS servers (Linux 2.2/ipchains only) # You must list your DNS servers here so that # the firewall will allow them to service your lookup requests # # List of DNS servers/networks to allow "domain" responses from # This _could_ be nameservers as a list of <ip-address>/32 entries #DNS_SERVERS="a.b.c.d/32 e.f.g.h/32" # If you are running a caching nameserver, you'll need to allow from # "0.0.0.0/0" so named can query any arbitrary nameserver # (To enable a caching nameserver, you will also probably need to # add "domain" to the TCP and UDP public service lists.) #DNS_SERVERS="0.0.0.0/0" # # To have the DNS servers parsed from /etc/resolv.conf at runtime, # as normal workstations will want, make this variable empty #DNS_SERVERS="" # # Please make sure variable assignments are on single lines; do NOT # use the "\" continuation character (so Bastille can change the # values if it is run more than once) DNS_SERVERS="" # 1) define your interfaces (all systems) # Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP # interface # # list internal/trusted interfaces # traffic from these interfaces will be allowed # through the firewall, no restrictions #TRUSTED_IFACES="lo" # MINIMAL/SAFEST # # list external/untrusted interfaces #PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST # # list internal/partially-trusted interfaces # e.g. if this acts as a NAT/IP Masq server and you # don't want clients on those interfaces having # full network access to services running on this # server (as the TRUSTED_IFACES allows) #INTERNAL_IFACES="" # SAFEST # # Please make sure variable assignments are on single lines; do NOT # use the "\" continuation character (so Bastille can change the # values if it is run more than once) TRUSTED_IFACES="lo" # MINIMAL/SAFEST PUBLIC_IFACES="eth+ ppp+ slip+ venet+" # SAFEST INTERNAL_IFACES="" # SAFEST # 2) services for which we want to log access attempts to syslog (all systems) # Note this only audits connection attempts from public interfaces # # Also see item 12, LOG_FAILURES # #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" # anyone probing for BackOrifice? #UDP_AUDIT_SERVICES="31337" # how about ICMP? #ICMP_AUDIT_TYPES="" #ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert # # To enable auditing, you must have syslog configured to log "kern" # messages of "info" level; typically you'd do this with a line in # syslog.conf like # kern.info /var/log/messages # though the Bastille port monitor will normally want these messages # logged to a named pipe instead, and the Bastille script normally # configures syslog for "kern.*" which catches these messages # # Please make sure variable assignments are on single lines; do NOT # use the "\" continuation character (so Bastille can change the # values if it is run more than once) #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" #UDP_AUDIT_SERVICES="31337" #ICMP_AUDIT_TYPES="" # 3) services we allow connections to (all systems) # # FTP note: # To allow your machine to service "passive" FTP clients, # you will need to make allowances for the passive data # ports; Bastille users should read README.FTP for more # information # # "public" interfaces: # TCP services that "public" hosts should be allowed to connect to #TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST # # UDP services that "public" hosts should be allowed to connect to #UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST # # "internal" interfaces: # (NB: you will need to repeat the "public" services if you want # to allow "internal" hosts to reach those services, too.) # TCP services that internal clients can connect to #TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST # # UDP services that internal clients can connect to #UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST # # Please make sure variable assignments are on single lines; do NOT # use the "\" continuation character (so Bastille can change the # values if it is run more than once) TCP_PUBLIC_SERVICES="21 22 25 53 80 81 110 143 443 10000 20 58878:59999" # MINIMAL/SAFEST UDP_PUBLIC_SERVICES="53" # MINIMAL/SAFEST TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST # 4) passive/active FTP (Linux 2.2/ipchains only) # FTP is a firewall nightmare; if you allow "normal" FTP connections, # you must be careful to block any TCP services that are listening # on high ports; it's safer to require your FTP clients to use # "passive" mode. # # Note this will also force clients on machines # that use this one for NAT/IP Masquerading to use passive mode # for connections that go through this server (e.g. from the # internal network to public Internet machines # # For more information about FTP, see the Bastille README.FTP doc # #FORCE_PASV_FTP="N" #FORCE_PASV_FTP="Y" # SAFEST # FORCE_PASV_FTP="Y" # SAFEST # 5) Services to explicitly block. (Linux 2.2/ipchains only) # See FTP note above # Note that ranges of ports are specified with colons, and you # can specify an open range by using only one number, e.g. # 1024: means ports >= 1024 and :6000 means ports <= 6000 # # TCP services on high ports that should be blocked if not forcing passive FTP # This should include X (6000:6010) and anything else revealed by 'netstat -an' # (this does not matter unless you're not forcing "passive" FTP) #TCP_BLOCKED_SERVICES="6000:6020" # # UDP services to block: this should be UDP services on high ports. # Your only vulnerability from public interfaces are the DNS and # NTP servers/networks (those with 0.0.0.0 for DNS servers should # obviously be very careful here!) #UDP_BLOCKED_SERVICES="2049" # # types of ICMP packets to allow #ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST # the following allows you to ping/traceroute outbound #ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded" # # Please make sure variable assignments are on single lines; do NOT # use the "\" continuation character (so Bastille can change the # values if it is run more than once) TCP_BLOCKED_SERVICES="6000:6020" UDP_BLOCKED_SERVICES="2049" ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded echo-request" # 6) Source Address Verification (all Linux systems) # This helps prevent "IP Spoofing" attacks # ENABLE_SRC_ADDR_VERIFY="Y" # SAFEST # 7) IP Masquerading / NAT. (all systems) # List your internal/masq'ed networks here # # Also see item 4, FORCE_PASV_FTP, as that setting affects # clients using IP Masquerading through this machine # # Set this variable if you're using IP Masq / NAT for a local network #IP_MASQ_NETWORK="" # DISABLE/SAFEST #IP_MASQ_NETWORK="10.0.0.0/8" # example #IP_MASQ_NETWORK="192.168.0.0/16" # example # # Have lots of masq hosts? uncomment the following six lines # and list the hosts/networks in /etc/firewall-masqhosts # the script assumes any address without a "/" netmask afterwards # is an individual address (netmask /255.255.255.255): #if [ -f /etc/firewall-masqhosts ]; then # echo "Reading list of masq hosts from /etc/firewall-masqhosts" # # Read the file, but use 'awk' to strip comments # # Note the sed bracket phrase includes a space and tab char # IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'` #fi # # Masq modules # NB: The script will prepend "ip_masq_" to each module name #IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?) #IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED # # Please make sure variable assignments are on single lines; do NOT # use the "\" continuation character (so Bastille can change the # values if it is run more than once) IP_MASQ_NETWORK="" # DISABLE/SAFEST IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED # 8) How to react to disallowed packets (all systems) # whether to "REJECT" or "DROP" disallowed packets; if you're running any # public services, you probably ought to use "REJECT"; if in serious stealth # mode, choose "DROP" so simple probes don't know if there's anything out there # NOTE: disallowed ICMP packets are discarded with "DROP", as # it would not make sense to "reject" the packet if you're # trying to disallow ping/traceroute # NOTE: the scripts that set up the filter rules will interpret these # keywords as needed, e.g. "DROP" becomes "DENY" for Linux 2.2/ipchains # REJECT_METHOD="DROP" # 9) DHCP (Linux 2.2/ipchains only) # In case your server needs to get a DHCP address from some other # machine (e.g. cable modem) #DHCP_IFACES="eth0" # example, to allow you to query on eth0 #DHCP_IFACES="" # DISABLED # # Please make sure variable assignments are on single lines; do NOT # use the "\" continuation character (so Bastille can change the # values if it is run more than once) DHCP_IFACES="" # DISABLED # 10) NTP servers (Linux 2.2/ipchains only) # more UDP fun. List IP addresses or network space of NTP servers # #NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST #NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers # # Please make sure variable assignments are on single lines; do NOT # use the "\" continuation character (so Bastille can change the # values if it is run more than once) NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST # 11) more ICMP. (Linux 2.2/ipchains only) # Control the outbound ICMP to make yourself invisible to # traceroute probes # #ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" # # Please make sure variable assignments are on single lines; do NOT # use the "\" continuation character (so Bastille can change the # values if it is run more than once) ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" # 12) Logging (all systems) # With this enabled, ipchains will log all blocked packets. # ** this could generate huge logs ** # This is primarily intended for the port mointoring system; # also note that you probably do not want to "AUDIT" any services # that you are not allowing, as doing so would mean duplicate # logging LOG_FAILURES="N" # do not log blocked packets # 13) Block fragmented packets (all systems) # There's no good reason to allow these #ALLOW_FRAGMENTS="N" # safest ALLOW_FRAGMENTS="Y" # old behavior # 14) Prevent SMB broadcasts from leaking out NAT setup (all systems) # Windows machines will poll teh net with SMB broadcasts, # basically advertising their existence. Most folks agree # that this traffic should be dropped #DROP_SMB_NAT_BCAST="N" # allow them (are you sure?) DROP_SMB_NAT_BCAST="Y" # drop those packets # 15) Log level (iptables/netfilter/Linux 2.4 only) # Control what level of logging is used when the firewall logs # information. Default is warning (4). Lowest priority is # debug (7); highest is emergency (0). To prevent syslog # from copying iptables error messages to the console, set # this to 6 (7 would also work, but 6 is recommended) # You can also stop syslogd/klogd from printing kernel # messages to the console by issuing the command # setterm -msg off #IP_LOG_LEVEL=6 # level used in 2.2/ipchains IP_LOG_LEVEL=4 # iptables/netfilter default # 16) Always attempt to use stateful features for inbound connections # Always using state will allow the firewall to reject invalid # packets sent to otherwise open TCP services, e.g. XMAS, NULL # and SIN/FYN scans. The downside to choosing this behavior is that # services may become unreachable if the packet filter's state # table becomes full. IP_ALWAYS_USE_STATE="N" # default, ensures services remain available ryanmt@vps:~$ Thanks
In your proftpd.conf, you're using the ports 48152 - 49192, but in your firewall configuration you have the ports 58878 - 59999.
Hi, sorry should have said. I was experimenting in changing hte port numbers.. i have updated proftpd.conf to match
done that, restarted the firewall via the ispconfig interface.. no change when trying to use passive im sure proftpd is just ignoring the passive ports ive set in the config file, i just dont know why! grr!
What happens when you comment out the line Code: Include /etc/proftpd_ispconfig.conf at the end of your proftpd.conf?