Re: setting up vsftpd

To: debian-user@lists.debian.org
Subject: Re: setting up vsftpd
From: <briand@aracnet.com>
Date: Fri, 3 Jul 2015 19:36:33 -0700
Message-id: <[🔎] 20150703193633.7776ffc9@cedar.deldotd.com>
In-reply-to: <[🔎] 1435953353.1911730.314720561.0309710B@webmail.messagingengine.com>
References: <[🔎] 20150701141544.0b0a6820@cedar.deldotd.com> <[🔎] 1435953353.1911730.314720561.0309710B@webmail.messagingengine.com>

On Fri, 03 Jul 2015 15:55:53 -0400
Louis Wust <louiswust@fastmail.fm> wrote:

what a terrific reply !

> I think you are asking two netfilter/iptables questions here:
>  1) How to "clear" an iptables configuration so all traffic is allowed?
>  2) How to allow FTP traffic through netfilter/iptables?
> 
> Let's address each question in turn.
> 
> #####
>  1. Allowing all traffic, for debugging purposes
> #####
> 
> attempt. Deleting rules does not change a chain's policy. Try this on
> the machine which has the firewall, and then try connecting to vsftpd
> from another machine on the local network:
> 
>   iptables -F
>   iptables -P INPUT ACCEPT

connection refused.

so it seems i have to stop there and get that figured out.

just to recap.
machine 1 :firewall. i can ftp into machine 2
machine 2: no firewall. i cannot ftp into machine 1

i tried the iptables commands as you explained above, and still get connection refused.

here's the really interesting part.

when logged in on machine 1.
  ftp localhost: works
  ftp machine1: connection refused

??!!

this is really strange...

Brian

> 
> But of course, as soon as you've verified that vsftpd is working, reload
> some reasonable firewall configuration using iptables-restore(8) or
> similar as quickly as possible! Nothing good will come of having an
> empty INPUT chain with a default ACCEPT policy.
> 
> #####
>  2. Allowing FTP traffic
> #####
> 
> First, if you're not familiar with the concepts, read up a little on
> active FTP versus passive FTP:
> 
>   http://slacksite.com/other/ftp.html
> 
> I'll describe how to get passive FTP working on the server, because
> unlike with active FTP, passive FTP doesn't require any special firewall
> configuration on the client side. In particular, if you intend to
> connect to your FTP server from somewhere on the Internet, passive mode
> will be much easier to use.
> 
> Making passive FTP work will require some advanced usage of the
> netfilter "conntrack" module and its FTP helper. For more information,
> read this:
> 
>   https://home.regit.org/netfilter-en/secure-use-of-helpers/
> 
> Armed with this knowledge, let's get started.
> 
> Punch a hole in the server's firewall to accept connections on port 21
> (the FTP "command" port), by running this command:
> 
>   iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
> 
> Now, to allow FTP data packets in passive mode, configure the firewall
> to accept any packet which the conntrack module and its FTP helper have
> determined to be RELATED to an established connection:
> 
>   iptables -A INPUT -m conntrack --ctstate RELATED -j ACCEPT
> 
> You might already have a rule like this. Use "iptables -L" to find out.
> 
> And now load the kernel module which provides the FTP helper for the
> netfilter conntrack module. The first of the following commands loads
> the module immediately, while the second ensures that the module is
> loaded each time the system boots in the future:
> 
>   modprobe nf_conntrack_ftp
>   echo "nf_conntrack_ftp" >> /etc/modules
> 
> By default, vsftpd is already configured to allow passive mode FTP, and
> passive mode FTP is supported out-of-the-box by many FTP clients,
> including the Debian standard package "ftp" and the file manager in
> Windows. To use passive mode in the Debian ftp client, try running the
> "passive" command as follows:
> 
>   $ ftp
>   ftp> open localhost
>   Connected to localhost .
>   220 (vsFTPd 3.0.2)
>   Name (localhost:user): anonymous
>   331 Please specify the password.
>   Password: none
>   230 Login successful.
>   Remote system type is UNIX.
>   Using binary mode to transfer files.
>   ftp> passive
>   Passive mode on.
>   ftp>
> 
> #####
>   Conclusion
> #####
> 
> Of course, if you want things to be easier and more secure, just use
> SFTP instead ;)
> 
> The following rule would be sufficient for SSH, SFTP, SCP, etc.; no need
> to add any kernel modules or set up additional rules:
> 
>   iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> 
> Louis Wust
> 
> On Wed, Jul 1, 2015, at 17:15, briand@aracnet.com wrote:
> > i've set up vsftpd on a couple of machines
> > 
> > one has a firewall, and one does not.
> > 
> > ftp's to the machine without the firewall work fine.
> > 
> > ftp's to the the machine with the firewall, still from the internal
> > network, do not.
> > 
> > easy to test, right ? simply disable the firewall and see if it works.
> > 
> >   iptables -F
> > 
> > but i still get connection refused.
> > 
> > any suggestions ?
> > 
> > Thanks,
> > 
> > Brian
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> > Archive:
> > [🔎] 20150701141544.0b0a6820@cedar.deldotd.com">https://lists.debian.org/[🔎] 20150701141544.0b0a6820@cedar.deldotd.com
> > 
> 
>

Reply to:

Follow-Ups:
- Re: setting up vsftpd
  - From: Alexis <flexibeast@gmail.com>

References:
- setting up vsftpd
  - From: <briand@aracnet.com>
- Re: setting up vsftpd
  - From: Louis Wust <louiswust@fastmail.fm>

Prev by Date: Re: setting up vsftpd
Next by Date: Re: setting up vsftpd
Previous by thread: Re: setting up vsftpd
Next by thread: Re: setting up vsftpd
Index(es):
- Date
- Thread