Re: setting up vsftpd

To: debian-user@lists.debian.org
Subject: Re: setting up vsftpd
From: Louis Wust <louiswust@fastmail.fm>
Date: Fri, 03 Jul 2015 15:55:53 -0400
Message-id: <[🔎] 1435953353.1911730.314720561.0309710B@webmail.messagingengine.com>
In-reply-to: <[🔎] 20150701141544.0b0a6820@cedar.deldotd.com>
References: <[🔎] 20150701141544.0b0a6820@cedar.deldotd.com>

I think you are asking two netfilter/iptables questions here:
 1) How to "clear" an iptables configuration so all traffic is allowed?
 2) How to allow FTP traffic through netfilter/iptables?

Let's address each question in turn.

#####
 1. Allowing all traffic, for debugging purposes
#####

On Wed, Jul 1, 2015, at 17:15, briand@aracnet.com wrote:
> easy to test, right ? simply disable the firewall and see if it works.
>   iptables -F
> but i still get connection refused.

According to the iptables(8) manpage, running the "iptables -F" command
is "equivalent to deleting all the rules one by one" from every chain in
the table. Since no table is selected, this defaults to the "filter"
table.

My guess is that your INPUT chain uses the DROP policy, which is
normally a good idea but which is interfering with your debugging
attempt. Deleting rules does not change a chain's policy. Try this on
the machine which has the firewall, and then try connecting to vsftpd
from another machine on the local network:

  iptables -F
  iptables -P INPUT ACCEPT

But of course, as soon as you've verified that vsftpd is working, reload
some reasonable firewall configuration using iptables-restore(8) or
similar as quickly as possible! Nothing good will come of having an
empty INPUT chain with a default ACCEPT policy.

#####
 2. Allowing FTP traffic
#####

First, if you're not familiar with the concepts, read up a little on
active FTP versus passive FTP:

  http://slacksite.com/other/ftp.html

I'll describe how to get passive FTP working on the server, because
unlike with active FTP, passive FTP doesn't require any special firewall
configuration on the client side. In particular, if you intend to
connect to your FTP server from somewhere on the Internet, passive mode
will be much easier to use.

Making passive FTP work will require some advanced usage of the
netfilter "conntrack" module and its FTP helper. For more information,
read this:

  https://home.regit.org/netfilter-en/secure-use-of-helpers/

Armed with this knowledge, let's get started.

Punch a hole in the server's firewall to accept connections on port 21
(the FTP "command" port), by running this command:

  iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

Now, to allow FTP data packets in passive mode, configure the firewall
to accept any packet which the conntrack module and its FTP helper have
determined to be RELATED to an established connection:

  iptables -A INPUT -m conntrack --ctstate RELATED -j ACCEPT

You might already have a rule like this. Use "iptables -L" to find out.

And now load the kernel module which provides the FTP helper for the
netfilter conntrack module. The first of the following commands loads
the module immediately, while the second ensures that the module is
loaded each time the system boots in the future:

  modprobe nf_conntrack_ftp
  echo "nf_conntrack_ftp" >> /etc/modules

By default, vsftpd is already configured to allow passive mode FTP, and
passive mode FTP is supported out-of-the-box by many FTP clients,
including the Debian standard package "ftp" and the file manager in
Windows. To use passive mode in the Debian ftp client, try running the
"passive" command as follows:

  $ ftp
  ftp> open localhost
  Connected to localhost .
  220 (vsFTPd 3.0.2)
  Name (localhost:user): anonymous
  331 Please specify the password.
  Password: none
  230 Login successful.
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp> passive
  Passive mode on.
  ftp>

#####
  Conclusion
#####

Of course, if you want things to be easier and more secure, just use
SFTP instead ;)

The following rule would be sufficient for SSH, SFTP, SCP, etc.; no need
to add any kernel modules or set up additional rules:

  iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Louis Wust

On Wed, Jul 1, 2015, at 17:15, briand@aracnet.com wrote:
> i've set up vsftpd on a couple of machines
> 
> one has a firewall, and one does not.
> 
> ftp's to the machine without the firewall work fine.
> 
> ftp's to the the machine with the firewall, still from the internal
> network, do not.
> 
> easy to test, right ? simply disable the firewall and see if it works.
> 
>   iptables -F
> 
> but i still get connection refused.
> 
> any suggestions ?
> 
> Thanks,
> 
> Brian
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> Archive:
> [🔎] 20150701141544.0b0a6820@cedar.deldotd.com">https://lists.debian.org/[🔎] 20150701141544.0b0a6820@cedar.deldotd.com
>

Reply to:

Follow-Ups:
- Re: setting up vsftpd
  - From: <briand@aracnet.com>

References:
- setting up vsftpd
  - From: <briand@aracnet.com>

Prev by Date: Gnome 3 VNC server issue
Next by Date: Re: setting up vsftpd
Previous by thread: setting up vsftpd
Next by thread: Re: setting up vsftpd
Index(es):
- Date
- Thread