Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section General Discussion
  • Search

iptables rules to allow passive ftp

General questions about VestaCP
Post Reply
  • Print view
Advanced search
3 posts • Page 1 of 1
one1
Posts: 3
Joined: Tue Jan 20, 2015 11:39 am

iptables rules to allow passive ftp
  • Quote

Post by one1 » Sun Feb 08, 2015 3:23 pm

Hi,

Previously I couldn't fetch a file from an external server that uses passive FTP:

Code: Select all

[root@host /]# wget ftp://XXXX:[email protected]/XXX/XXX.txt.gz
--2015-02-05 05:52:50--  ftp://ps-ftp_XXXX:[email protected]/XXX/XXX.txt.gz
           => `XXX.txt.gz'
Resolving products.XXX.com... 66.171.XXX.XX
Connecting to products.XXX.com|66.171.XXX.XX|:21... connected.
Logging in as XXX ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /XXX ... done.
==> SIZE XXX.txt.gz ... done.
==> PASV ... couldn't connect to 66.171.XXX.XX port 43928: Connection timed out
Retrying.
After stopping iptables, I could fetch the file fine. I have tried to modify iptables to allow passive FTP connections, but it doesn't work. Can anyone please tell me how to correctly modify iptables so that I can turn it back on?

Here is my original iptables

Code: Select all

# Generated by iptables-save v1.4.7 on Sun Feb  8 09:18:10 2015
*nat
:PREROUTING ACCEPT [749988:45618927]
:POSTROUTING ACCEPT [955796:58217733]
:OUTPUT ACCEPT [955796:58217733]
COMMIT
# Completed on Sun Feb  8 09:18:10 2015
# Generated by iptables-save v1.4.7 on Sun Feb  8 09:18:10 2015
*mangle
:PREROUTING ACCEPT [19229922:15904290473]
:INPUT ACCEPT [19229921:15904290421]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20155349:19682514187]
:POSTROUTING ACCEPT [20155349:19682514187]
COMMIT
# Completed on Sun Feb  8 09:18:10 2015
# Generated by iptables-save v1.4.7 on Sun Feb  8 09:18:10 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-MAIL - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VESTA - [0:0]
:vesta - [0:0]
-A INPUT -p tcp -m multiport --dports 25,465,587,2525,110,995,143,993 -j fail2ban-MAIL 
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-VESTA 
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 20,21,12000:12100 -j ACCEPT 
-A INPUT -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 3306,5432 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT 
-A INPUT -p udp -m udp --sport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 110 -j ACCEPT 
-A INPUT -p udp -m udp --sport 123 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 143 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 3306 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 5432 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 8433 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 8083 -j ACCEPT 
-A fail2ban-MAIL -s 46.32.239.190/32 -j REJECT --reject-with icmp-port-unreachable 
-A fail2ban-MAIL -j RETURN 
-A fail2ban-SSH -j RETURN 
-A fail2ban-VESTA -j RETURN 
COMMIT
# Completed on Sun Feb  8 09:18:10 2015
I tried adding the following code to it, but it didn't work:

Code: Select all

-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Top
joem
Posts: 378
Joined: Thu Nov 13, 2014 8:33 am

Os: CentOS 6x
Web: nginx + php-fpm
Re: iptables rules to allow passive ftp
  • Quote

Post by joem » Sun Feb 08, 2015 7:00 pm

Login to Vesta CP -> Click firewall -> Edit Record "TCP / FTP" -> Change to 21,12000:12100 -> Edit /etc/proftpd.conf

Add code below before <Global>

Code: Select all

PassivePorts 12000 12100
Top
imperio
VestaCP Team
Posts: 7000
Joined: Sat Dec 01, 2012 12:37 pm
Contact:
Contact imperio
Website

Re: iptables rules to allow passive ftp
  • Quote

Post by imperio » Sun Feb 08, 2015 8:45 pm

Code: Select all

echo "PROTOCOL='TCP' PORT='12000:12100'" >> /usr/local/vesta/data/firewall/ports.conf

Code: Select all

v-update-firewall
What ftp server a you using on your server ?
Top
Post Reply
  • Print view
3 posts • Page 1 of 1

Return to “General Discussion”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

cron

Login  •  Register

I forgot my password