« previous next »
Pages: [1]

Author Topic: [FTP] Allowing passive connections  (Read 9763 times)

Marcus

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 395
  • Karma: +12/-0
    • View Profile
    • Professional IT Service
[FTP] Allowing passive connections
« on: September 13, 2012, 05:42:49 pm »
Hello World!

Quick tip in order to allow passive connections (a.k.a. PASV).

I was trying to put my cPan*l backups on a Zentyal powered server.  Everything seemed fine until I looked the logs...

Quote
PASV
227 Entering Passive Mode (123,123,123,123,47,27).
STOR mybackup.tar.gz
425 Failed to establish connection.


Problem:
vsFTPd (on Zentyal -at least) doesn't allow/accept passive connections.


Solution:
** Make sure to be the root user **

First, let's add a custom IPTables rule.

Code: [Select]
cat > /etc/zentyal/hooks/firewall.postservice <<-FIREWALL
#!/bin/sh

# This is the firewall postservice script and it's run after Zentyal
# has finished setting up the firewall.

# You can add here custom rules that you might need for your firewall

# The script will receive a command line argument indicating whether the
# module is enabled (1) or not (0).

if [ "$1" -eq "1" ]
then
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
    true
fi

exit 0
FIREWALL

Now, let's enable those rules right away:
Code: [Select]
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Code: [Select]
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Code: [Select]
iptables -A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
We must make sure that our custom configuration will be persistant;
mkdir -p /etc/zentyal/stubs/ftp && cp /usr/share/zentyal/stubs/ftp/vsftpd.conf.mas

Now let's modify the FTP server configuration (make sure to replace <YOUR PUBLIC UP> with your public IP);
Code: [Select]
cat >> /etc/zentyal/stubs/ftp/vsftpd.conf.mas <<-FTP_CONF
## Marcus Hack ##
pasv_promiscuous=YES
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60100
pasv_address=<YOUR PUBLIC IP>

# Max Clients
max_clients=100

# Max connections per IP
max_per_ip=20

cmds_allowed=ALLO,ABOR,APPE,CWD,DELE,HELP,LIST,MDTM,MKD,NLST,PASS,PASV,PWD,QUIT,RETR,RMD,RNFR,RNTO,SIZE,STOR,TYPE,USER
## ############## ##
FTP_CONF
And now lets wrap it up by restart the service;
Code: [Select]
/etc/init.d/zentyal ftp restart
Let's wrap it up by testing our new configuration. 
You should now have something similar to:
Quote
PASV
227 Entering Passive Mode (123,123,123,123,47,27).
STOR mybackup.tar.gz
150 Ok to send data.
226 Transfer complete.
QUIT
221 Goodbye.

Thanks for reading and please, do not hesitate to comment this little trick.

Best,

Marcus
Logged

meiser

  • Zen Apprentice
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: [FTP] Allowing passive connections
« Reply #1 on: November 22, 2012, 12:02:59 pm »
Just to let you know, passive mode just works fine here as long as the FTP session is unencrypted.

As soon as you enable TLS/SSL, the FTP session must be in active mode as the nf_conntrack_ftp module can't inspect the FTP packets.
Logged
Pages: [1]
« previous next »