2

Is there any way to learn the port range of "Passive" FTP Server which is not in my authority. It is possible to set the range within configuration file. For example within vsftpd.conf :

pasv_min_port=25000
pasv_max_port=25500
#pasv_min_port=0
#pasv_max_port=0 (any port)

Since I want to apply a very restricted OUTPUT firewall (iptables) on my Linux Terminal Server, i need to know remote server's port range. Is FTP supports expose of port-range information, that clients can use of?

I am also open for any other possible solutions except the following one where i assume the server IP address as 10.1.1.1 :

-A OUTPUT -d 10.1.1.1 -j ACCEPT

Thanks for your interest...

Regards

EDIT

Thanks for @aaron-copley, @martin-prikryl, @user3590719

Answer for main question, FTP doesn't expose passive port range to the clients.

Solution of need is loading netfilter connection tracking module for FTP.

ip_conntrack_ftp (Module alias for CentOS/Red Hat : nf_conntrack_ftp)

Working example config for Red Hat 7:

/etc/sysconfig/iptables-config

IPTABLES_MODULES="nf_conntrack_ftp"

iptables rules

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.1.1.1/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -j DROP

Finally, manualy load module or restart iptables.service.

Community
  • 1
aesnak
  • 561
  • 4
  • 12
  • 1
    Does ip_conntrack_ftp work with outbound connections? If so, would allowing related connection to the single host be sufficient? I ask, because even if you determine current configuration, you cannot guarantee it will not change. – Aaron Copley Jan 31 '17 at 15:44
  • Thanks for comment. I tried your suggestion, the module does work for outbound connections too. That solves my need. – aesnak Feb 01 '17 at 12:00

2 Answers2

2

I found this in a previous answer

Setting up Linux iptables for FTP PASV mode connections

This: https://major.io/2007/07/01/active-ftp-connections-through-iptables/

and This:

https://www.cyberciti.biz/tips/how-do-i-use-iptables-connection-tracking-feature.html

In all of them you are going to want to use the ip_conntrack_ftp and the related rule in your iptables rules to keep the passive connections open.

user3590719
  • 21
  • 2
  • Thanks for your asnwer. That solves my need. Also i 'm ashamed since i couldn't find these guides. – aesnak Feb 01 '17 at 12:11
2

The passive port range is not publicly announced by an FTP server.

All you can do is to automate parallel transfers of many files to/from the server and deduce the range from the ports used for these transfers.

Martin Prikryl
  • 7,327
  • 2
  • 36
  • 71
  • Thanks for answer. Before posting the question, I checked the [RFC](https://www.ietf.org/rfc/rfc959.txt) and failed to find any clue about the matter. Hopelessly, i tried my chance on community. – aesnak Feb 01 '17 at 12:13