iptables FTP connection tracking not working

Question

I am hoping someone can point me in the right direction here please.

Running proftpd (with tls support) on a public IP.

FTP client connects, but can't do a directory listing. When I change the "INPUT" policy on iptables to ACCEPT, it does work.

The following is my relevant iptables rules:

$IPTABLES -A INPUT -i eno1 -s 0/0 -d x.x.x.x -p tcp --sport 1024:65535 -m multiport --dports 20,21,989,990 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d x.x.x.x --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

I have the connection_tracking modules enabled.

server ~ # lsmod | grep nf_conntra
nf_conntrack_ftp       24576  3
nf_conntrack          176128  8 xt_conntrack,nf_nat,xt_state,xt_nat,xt_helper,nf_conntrack_ftp,xt_CT,xt_MASQUERADE
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  2 nf_conntrack,nf_nat

I also have nf_conntrack_helper enabled in /proc

server ~ # cat /proc/sys/net/netfilter/nf_conntrack_helper
1

Is it working in passive mode? Note that in active mode connections are initiated not on the same socket, but on different port... See https://superuser.com/questions/729876/connection-to-filezilla-ftp-server-works-but-directory-listing-fails and https://www.moreofless.co.uk/ftp-connects-no-directory-listing-command-passive/#:~:text=If%20you%20are%20able%20to,ftp%3E%20passive%20Passive%20mode%20on. — Alex, Sep 27 '21 at 10:38
It does not work in active or passive mode with TLS, however it does work if I disable encryption. — Robert Schmitt, Sep 27 '21 at 10:46

score 1 · Answer 1 · answered Sep 27 '21 at 10:55

proftpd (with tls support)

That TLS support is probably the culprit.

Normally in an intelligent firewall when you allow FTP you need to open the port for the control connection, TCP 21 and then, in the clear text FTP protocol, the conntrack modules can scan for and detect the PORT response. An FTP conntrack helper module will then automatically open up the port number that gets assigned by the FTP server to that specific client, as related, allowing for quit granular access control.

When the connection is encrypted with TLS the firewall can't detect the PORT response anymore and therefor not automatically open the assigned port. The solution for that is to :

fix the range of ports the FTP server will use for passive connections to a small range
PassivePorts min-pasv-port max-pasv-port
in your firewall open both port 21 and that fixed range of ports for data connections

Thank you, that makes sense. At least I understand what is happening! — Robert Schmitt, Sep 29 '21 at 18:03

iptables FTP connection tracking not working

1 Answers1