Vesta Control Panel - Forum

Posted: **Sun Feb 08, 2015 3:23 pm**

Hi,

Previously I couldn't fetch a file from an external server that uses passive FTP:

[root@host /]# wget ftp://XXXX:[email protected]/XXX/XXX.txt.gz
--2015-02-05 05:52:50--  ftp://ps-ftp_XXXX:[email protected]/XXX/XXX.txt.gz
           => `XXX.txt.gz'
Resolving products.XXX.com... 66.171.XXX.XX
Connecting to products.XXX.com|66.171.XXX.XX|:21... connected.
Logging in as XXX ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /XXX ... done.
==> SIZE XXX.txt.gz ... done.
==> PASV ... couldn't connect to 66.171.XXX.XX port 43928: Connection timed out
Retrying.

After stopping iptables, I could fetch the file fine. I have tried to modify iptables to allow passive FTP connections, but it doesn't work. Can anyone please tell me how to correctly modify iptables so that I can turn it back on?

Here is my original iptables

Code: Select all

# Generated by iptables-save v1.4.7 on Sun Feb  8 09:18:10 2015
*nat
:PREROUTING ACCEPT [749988:45618927]
:POSTROUTING ACCEPT [955796:58217733]
:OUTPUT ACCEPT [955796:58217733]
COMMIT
# Completed on Sun Feb  8 09:18:10 2015
# Generated by iptables-save v1.4.7 on Sun Feb  8 09:18:10 2015
*mangle
:PREROUTING ACCEPT [19229922:15904290473]
:INPUT ACCEPT [19229921:15904290421]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20155349:19682514187]
:POSTROUTING ACCEPT [20155349:19682514187]
COMMIT
# Completed on Sun Feb  8 09:18:10 2015
# Generated by iptables-save v1.4.7 on Sun Feb  8 09:18:10 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-MAIL - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VESTA - [0:0]
:vesta - [0:0]
-A INPUT -p tcp -m multiport --dports 25,465,587,2525,110,995,143,993 -j fail2ban-MAIL 
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-VESTA 
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 20,21,12000:12100 -j ACCEPT 
-A INPUT -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 3306,5432 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 192.186.XXX.XX/32 -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT 
-A INPUT -p udp -m udp --sport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 110 -j ACCEPT 
-A INPUT -p udp -m udp --sport 123 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 143 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 3306 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 5432 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 8433 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 8083 -j ACCEPT 
-A fail2ban-MAIL -s 46.32.239.190/32 -j REJECT --reject-with icmp-port-unreachable 
-A fail2ban-MAIL -j RETURN 
-A fail2ban-SSH -j RETURN 
-A fail2ban-VESTA -j RETURN 
COMMIT
# Completed on Sun Feb  8 09:18:10 2015

I tried adding the following code to it, but it didn't work:

Code: Select all

-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Posted: **Sun Feb 08, 2015 7:00 pm**

Login to Vesta CP -> Click firewall -> Edit Record "TCP / FTP" -> Change to 21,12000:12100 -> Edit /etc/proftpd.conf

Add code below before <Global>

Code: Select all

PassivePorts 12000 12100

Posted: **Sun Feb 08, 2015 8:45 pm**

Code: Select all

echo "PROTOCOL='TCP' PORT='12000:12100'" >> /usr/local/vesta/data/firewall/ports.conf

Code: Select all

v-update-firewall

What ftp server a you using on your server ?

Vesta Control Panel - Forum

iptables rules to allow passive ftp

iptables rules to allow passive ftp

Re: iptables rules to allow passive ftp

Re: iptables rules to allow passive ftp