iptables lets me connect by FTP but I can't get dir listing

Question

Possible Duplicate:
Allowing FTP with IPTables

I have a pretty restrictive set of iptables rules with the following rule that allows me to connect by ftp

iptables -A INPUT -p tcp --dport 21 -j ACCEPT

Clients can connect ok but that's about it, the following output from the ftp client just before things fall down might help:

Command:    MLSD
Error:  Connection timed out
Error:  Failed to retrieve directory listing

When I stop IP tables everything works as expected

CentOS release 5.5 (Final)

proftpd-1.3.3c-3

score 6 · Accepted Answer · answered Jan 20 '11 at 10:55

6

You'll need an additional rule to allow "related" connections. This is due to the FTP protocol using one port for commands and another for data.

iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Also, there's a kernel module you'll need to load for tracking the related connections. It's called ip_conntrack_ftp but how you load it depends on your distro.

On hedrat-ish systems, have an ogle at /etc/sysconfig/iptables-config

answered Jan 20 '11 at 10:55

noodl

215
1
3

+1, i suspect this'll work, totally forgot about the related connections need. – Sirex Jan 20 '11 at 11:06
This did the tick, kudos to all for contributing to this solution! – stew Jan 20 '11 at 11:12
To enable the module on CentOS you can use the command: # modprobe ip_conntrack_ftp – happyhardik Jun 18 '14 at 14:49

score 2 · Answer 2 · answered Jan 20 '11 at 10:57

Just to break down the difference:

Active FTP: The client connects to port 21 on the server. This is the control channel. Getting files or directory listings are data transfers and the server then attempts to connect back to the client to send it. This almost never works these days, given the way most clients are NATted and firewalled.

Passive FTP: There still needs to be a data channel, but this time, the server sends a port number back to the client and the client initiates another connection back to the server on that port.

The reason you're timing out with the data connection in passive is that the data port is still blocked. Depending on your FTP server software, you can typically specify the range of ports the server sends (eg: 50000-50010). You then also need to accept inbound connections on that port range. (Make sure you also limit the number of simultaneous connections to the same as the number of ports available.)

I'm not familiar with proftpd, but I think it lets you do what you need to do.

Edit Noodl's answer is the best bet for allowing the data connections through, though you may want to be specific about the port range anyway, for ease of tracking.

score 0 · Answer 3 · answered Jan 20 '11 at 10:23

0

Try setting your client to use passive FTP, assuming you're using a NAT, that should work.

In filezilla its in the connection settings, on the command line i think "passive" should turn it on, do that before the ls/dir command.

answered Jan 20 '11 at 10:23

Sirex

5,447
2
32
54

Cheers, tried that and alas it didn't work - same error – stew Jan 20 '11 at 10:48
does the user have permissions to do the listing ? Perhaps try it from localhost to rule out network issues. – Sirex Jan 20 '11 at 10:57

silviu.h · Answer 4 · 2011-01-20T11:07:35.070

0

You can use the netfilter conntrack module:

modprobe nf_conntrack_ftp

And to be loaded at startup, in /etc/sysconfig/iptables-config :

IPTABLES_MODULES="nf_conntrack_ftp"

edited Jan 20 '11 at 11:07

answered Jan 20 '11 at 11:02

silviu.h

11
1
3

Thanks this in conjunction with the above answer got me rolling again! (sorry my newbie rep won't allow me to vote this one up :( ) – stew Jan 20 '11 at 11:13

iptables lets me connect by FTP but I can't get dir listing

4 Answers4