Passive FTP issue on Ubuntu 20.04 LTS with IPTables and OpenVPN
by jimwillsher from LinuxQuestions.org on (#52WE2)
Hi all
I have a strange issue with FTP. I am trying to SEND a file that's on my Linux box to a FileZilla FTP server using Passive FTP. The Linux box has OpenVPN installed, and also iptables, and not much else. tun0 is the device created by OpenVPN, and device ens3 is the ethernet (it's hosted at a datacentre so it's the equivalent of eth0). ens3 has a public IP address, so no NAT.
Unless I add this line:
-A INPUT -p tcp --sport 20 --dport 1024: -m state --state NEW -j ACCEPT
to my iptables, I cannot send a file to the external FTP site. The connection establishes but then hangs at 0 bytes.
I do have ip_conntrack_ftp in the modules file.
What am I missing?
Full iptables config below.
Many thanks
Jim
# Generated by iptables-save v1.4.4 on Wed Sep 19 20:45:08 2012
*nat
:PREROUTING ACCEPT [832:56386]
:INPUT ACCEPT [21:1092]
:OUTPUT ACCEPT [2:168]
:POSTROUTING ACCEPT [2:168]
-A POSTROUTING -s 10.8.0.0/24 -o tun0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [46:2718]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [676793:2441881631]
# -------------------------------------------------------------------------------------------
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# -------------------------------------------------------------------------------------------
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# -------------------------------------------------------------------------------------------
# accept https
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# -------------------------------------------------------------------------------------------
# accept OpenVPN. See comment at top relating to 'tun'
-A INPUT -i ens3 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o ens3 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens3 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# -------------------------------------------------------------------------------------------
# Allow FTP connections @ port 21
-A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
# Allow Passive FTP Connections
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
# THIS LINE - needed to allow PassiveFTP to work properly
-A INPUT -p tcp --sport 20 --dport 1024: -m state --state NEW -j ACCEPT
# -------------------------------------------------------------------------------------------
# reject all other packets coming into the computer, even from other computers in the local area network
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
-A LOGGING -j DROP
COMMIT
I have a strange issue with FTP. I am trying to SEND a file that's on my Linux box to a FileZilla FTP server using Passive FTP. The Linux box has OpenVPN installed, and also iptables, and not much else. tun0 is the device created by OpenVPN, and device ens3 is the ethernet (it's hosted at a datacentre so it's the equivalent of eth0). ens3 has a public IP address, so no NAT.
Unless I add this line:
-A INPUT -p tcp --sport 20 --dport 1024: -m state --state NEW -j ACCEPT
to my iptables, I cannot send a file to the external FTP site. The connection establishes but then hangs at 0 bytes.
I do have ip_conntrack_ftp in the modules file.
What am I missing?
Full iptables config below.
Many thanks
Jim
# Generated by iptables-save v1.4.4 on Wed Sep 19 20:45:08 2012
*nat
:PREROUTING ACCEPT [832:56386]
:INPUT ACCEPT [21:1092]
:OUTPUT ACCEPT [2:168]
:POSTROUTING ACCEPT [2:168]
-A POSTROUTING -s 10.8.0.0/24 -o tun0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [46:2718]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [676793:2441881631]
# -------------------------------------------------------------------------------------------
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# -------------------------------------------------------------------------------------------
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# -------------------------------------------------------------------------------------------
# accept https
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# -------------------------------------------------------------------------------------------
# accept OpenVPN. See comment at top relating to 'tun'
-A INPUT -i ens3 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o ens3 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens3 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# -------------------------------------------------------------------------------------------
# Allow FTP connections @ port 21
-A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
# Allow Passive FTP Connections
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
# THIS LINE - needed to allow PassiveFTP to work properly
-A INPUT -p tcp --sport 20 --dport 1024: -m state --state NEW -j ACCEPT
# -------------------------------------------------------------------------------------------
# reject all other packets coming into the computer, even from other computers in the local area network
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
-A LOGGING -j DROP
COMMIT