1

So I followed the instructions (for ubuntu 10.04): here (for setting up iptables) and here (saving the iptables) and finally and laughably here (because 10.04 won't get the saved version), now everything is cozy.

My server is secure, and now i want to use ftp.

Typically I use filezilla, and i just point it to the ssh (or sshd?) port, give it my username and password, and I am off.

However, i read about "vsftpd", and thought I might try to use it - so there are some questions stemming from this.

  1. do i need to use vsftpd, or is the fact that my filezilla connects and works good enough?

  2. how do i use vsftpd? Is this right?

    I setup the vsftpd.conf to include:

    listen_port=21 pasv_enable=Yes pasv_max_port=10100 pasv_min_port=10090

    Then i updated iptables using this link here

However filezilla just hangs when i do all this (and tell filezilla to use port 21).

If vsftpd doesn't offer anything more security wise, then I'm not going to use it (because even 5 mins setting up is a waste of time), but if it does... when what am I doing wrong and how do i setup vsftpd?

Bonus Question Anyone know why you have to manually save the iptables in unix? And why saving it is such a laboured process?

Community
  • 1
bharal
  • 123
  • 7
  • You do a save because it updates the start-up config, while just doing edits to the running firewall are not persistent across reboots. So, in other words, if you want it to work when the box reboots, you want to make sure you save – Steve Butler Aug 07 '14 at 16:37

1 Answers1

0

  1. You need a FTP, FTPS, FTPES, or SCP/SFTP server to service request from Filezilla client. For FTP, FTPS, FTPES you can use vftpd. For SCP and SFTP you can use OpenSSH.

  2. a. For FTP, you need to open only port 21 and use ip_conntrack_ftp iptables module. You do not need to configure other ports. Those are managed by the ip_conntrack_ftp module. b. For FTPS and FTPES you can use the link you found. c. for SFTP you need to open port 22 (ssh). But you this is insecure as you allow also remote shell access.

Debug the problems with Wireshark running on both the client and server. Pay attention to missing packets in a capture or answers to wrong IP address (if NAT-ing is involved).

iptables is just a user-space command to configure NetFilter tables in kernel. So it is not really manually. On the other hand there are plenty of scripts and frontends to manage NetFilter.

Community
  • 1
Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80