You are not logged in.

#1 2016-02-17 04:32:38

Dafta
Member
Registered: 2016-02-17
Posts: 10

[Solved] Can't Connect to FTP Server (vsftpd) With iptables

Let me preface this by saying that I can connect to my FTP server if I stop iptables.service. However, I need to be able to connect to the server with iptables.service running. I've followed this guide: https://wiki.archlinux.org/index.php/Ve … g_iptables

My iptables.rules file:

# Generated by iptables-save v1.4.21 on Wed Feb 17 03:30:11 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7:1044]
:IN_SSH - [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp --dport 40533 -m conntrack --ctstate NEW -j IN_SSH
-A IN_SSH -m recent --rcheck --seconds 10 --hitcount 3 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --rcheck --seconds 1800 --hitcount 4 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --set --name sshbf --mask 255.255.255.255 --rsource -j ACCEPT
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 40533 -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Feb 17 03:30:11 2016

My vsftpd.conf file:

anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=ARCH1 FTP Server
listen=YES

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

max_clients=10
max_per_ip=10

listen_port=9999
pasv_min_port=49152
pasv_max_port=65534

I've also created files ip_conntrack_ftp.conf and nf_conntrack_ftp.conf under /etc/modules-load.d/ each containing either ip_conntrack_ftp or nf_conntrack_ftp respectively, and I've created files ip_conntrack_ftp.conf and nf_conntrack_ftp.conf under /etc/modprobe.d/ both containing the following:

options nf_conntrack_ftp ports=9999

I've also tried changing /etc/modprobe.d/ip_conntrack_ftp.conf to contain this, to no avail:

options ip_conntrack_ftp ports=9999

At the moment, the iptables.rules file doesn't contain the port 9999, but if I add it with

# iptables -A INPUT -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

nothing changes, so I'm waiting for a configuration that works before I save it into the iptables.rules file.

What is the correct configuration? Any help is appreciated.

Last edited by Dafta (2016-02-18 21:11:14)

Offline

#2 2016-02-18 01:08:27

TheSgtBilko
Member
Registered: 2013-08-13
Posts: 87

Re: [Solved] Can't Connect to FTP Server (vsftpd) With iptables

Someone with deeper knowledge of iptables/netfilter might have better suggestions/explanations.

But AFAIK - If you "Append" (-A) a rule to a chain (in this case INPUT chain), it'll be added last in the chain.

In your case it'll be added after :

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

That rule means that all packages that have not already been accepted/dropped/rejected will be rejected.
Any rule in INPUT chain after that rule will not be of any practical use..

Either ... you would have to "Insert" the rule for port 9999 before that final reject rule in INPUT chain.
Or ...  you could "Append" a rule to accept port 9999 to your TCP chain instead (like the ones already there for ports 80/443/40533).


Same goes for that rule in INPUT chain for port 40533.
However you probably haven't noticed any issues since that port has already been processed in the TCP chain.

Last edited by TheSgtBilko (2016-02-18 01:12:30)

Offline

#3 2016-02-18 03:56:31

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved] Can't Connect to FTP Server (vsftpd) With iptables

TheSgtBilko is right. Remember that iptables is a FIRST MATCH system -- the first rule that matches (with a terminating target -- ie ACCEPT, REJECT or DROP) will be the rule that's used. It does not fall through beyond that to last-matching.

So put your ACCEPT for your FTP traffic in the right place. For example, the best place in your rules would be the TCP chain:

iptables -A TCP -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

There is no DROP or REJECT rule in your TCP chain, so you can just append to it. If you had a DROP/REJECT at the end you would have to use -I to insert it before that.

Offline

#4 2016-02-18 17:08:33

Dafta
Member
Registered: 2016-02-17
Posts: 10

Re: [Solved] Can't Connect to FTP Server (vsftpd) With iptables

Ah, that's right, it works now. Just shows I don't fully understand how iptables works yet. How are chains executed, at the same time or is there a priority?

Offline

#5 2016-02-18 20:11:54

TheSgtBilko
Member
Registered: 2013-08-13
Posts: 87

Re: [Solved] Can't Connect to FTP Server (vsftpd) With iptables

In Arch wiki for iptables, there's a link to a graph detailing the order of the built-in chains:
https://wiki.archlinux.org/index.php/Iptables#Chains

Any user-defined chains (like your TCP/UDP/IN_SSH chains) are processed by jumping (-j) to it from another rule.

These jumps to user-defined chains are kind of like subroutines = if no match in the user-defined chain, processing will continue at next rule in the originating chain.

Offline

#6 2016-02-18 21:12:05

Dafta
Member
Registered: 2016-02-17
Posts: 10

Re: [Solved] Can't Connect to FTP Server (vsftpd) With iptables

Thanks for the help! I'm going to study the iptables wiki page thoroughly now, and I marked the thread as solved.

Offline

Board footer

Powered by FluxBB