1

I am using Arch Linux. I followed a tutorial to change /etc/iptables/iptables.rules to allow only the basic ports for my web server. I also used /etc/modules-load.d/nf_conntrack_ftp.conf to enable that module, and changed the default FTP port that I use in /etc/modprobe.d/ip_conntrack_ftp.conf. I have two problems. FTP is not working since I am getting a "500 Illegal Port Command," and an "ERRCONNREFUSED." If I use active mode instead and over plain FTP, it owrks. So it's something wrong with iptables. Also, iptables is not allowing IPv6 connections even though I allow them. Do I have to change another file? Thanks you. Here's a screenshot of iptables.rules: iptables rules

Of course, I changed the FTP port before I posted this.

Kenneth Clark
  • 31
  • 3
  • Did you validate that it works if you just disable your firewall? – Julie Pelletier May 01 '16 at 00:04
  • 1
    don't post screenshots when text will do. copy and paste the text from your terminal into your question. remember to use the `{}` icon to format it as code. – cas May 01 '16 at 01:54
  • it seems to me it isn't working because your SSL port is closed. Do you have the `Subsystem sftp ...` portion in your sshd config? Or does your ftp server handle ssl? – frogstarr78 May 01 '16 at 02:36
  • How do I enable that port then? I set TLS and SSL in vsftpd to ON. Oh, and I took a screenshot since I have no way to copy the text. I was using SSH, and that's on a VM. – Kenneth Clark May 01 '16 at 03:50
  • @frogstarr78 `sftp` in `sshd_config` is for SFTP over SSH (default on 22), not FTPS over SSL/TLS (default on 21) which is quite a different thing. Kenneth: does your FTP client reach this server through any kind of NAT or proxy? Those often transparently 'adjust' data in the FTP control connection in clear, but cannot do so in FTPS. – dave_thompson_085 May 01 '16 at 06:18

1 Answers1

3

TL;TR: FTP is a broken protocol and FTPS more so. Due to a combination of protocol design and encryption it plays very bad together with firewalls. Try to use SFTP (i.e. file transfer over SSH protocol) instead.

FTP consists of a control connection (usually port 21) and the data connections. Which ports are used by the data connections are dynamically exchanged within the control connection. In active mode the clients listens on IP/port given inside the PORT or EPRT command and the server connects to the client. In passive mode the server listens on IP/port given in response to the PASV or EPSV command and the client connects to the server.

One way to deal with this kind of dynamic ports in a firewall configuration is to keep a wide range of ports open. This is obviously contradicting the idea of using a firewall to restrict the attack surface as much as possible. Thus most firewalls offer some "helpers" which inspect the control connection and find out which ports are used for the dynamic connections so that they can create matching packet filter rules on demand. With iptables this is done inside ip_conntrack_ftp. This is what you are trying now.

Unfortunately using such helpers means that the firewall must be able to read the traffic inside the control connection. If you don't use plain unencrypted FTP this is possible. But with FTP+TLS the control connection is encrypted and thus the helper is not able to extract the necessary information to open the ports on demand. In theory there is a way to deal with this by using TLS only for transferring the authorization part but then switch off encryption again (FTPS command CCC) but this would need to be supported and used by the client.

Thus if possible avoid FTP and FTPS and use SFTP instead. This is file transfer over the SSH protocol and uses only a single port which makes a restrictive firewall configuration easier.

Steffen Ullrich
  • 2,500
  • 15
  • 16
  • Saying that "FTP is a broken protocol" is, I think, misleading at best. The way that firewalls make FTP connections harder to manage does not make the _protocol_ broken; the first statements above read more like FUD than accurate, objective statement. – Castaglia May 02 '16 at 17:10
  • @Castaglia: in today's network environment which makes heavy use of firewalls and NAT the design of FTP clashes often with the design or intention (security) of the network. While the protocol is not broken from the perspective of security I consider its design broken because it fails to play nice with today's networks. And with FTPS it got even worse because the workarounds in network design to suit FTP fail to work any longer. – Steffen Ullrich May 02 '16 at 17:15