Blog of a cranky web-hosting geek !!
⏱︎
Read time:
To minimize the range of open ports for iptables to allow “Passive” or “PASV” connections
in /etc/proftpd insert:
PassivePorts 60150 60200
Put in under the “Port” entry
then in Iptables rules:
iptables -t filter -A INPUT -p tcp –dport 60150:60200 -j ACCEPT
NOTE: ****IMPORTANT****
if proftp still does not work, then insert
UseReverseDNS off
into your proftpd.conf!!!
It’s because if you chroot your users with sth. like “Default Root ~”, the /etc/hosts file won’t be visible for proftp anymore, so it will hang up on reverseLookups!
When I enter this, there seems to a problem with the -dport 60150:60200 part. Oops. I just noticed there is two dashes there. Just pointing it out for anyone else that might not be as observant as me. 🙂
I forgot to say Thanks! This was exactly what I was looking for. Active mode now works for me.
I have one more problem though. When I login using Pasv mode, it hangs on LIST. Any idea why?
This should make PASV mode work, post here your iptables config
Here it is. The server is behind a router and I set the router to forward ports 60150-60200, 21, 80, and 22 to my local ip of 192.168.2.101. I’m new to iptables (and linux administering) so there are probably better setups to use than what I have here.
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpts:60150:6020
0
ACCEPT tcp — anywhere anywhere tcp dpt:http
ACCEPT tcp — anywhere anywhere tcp dpt:ssh
ACCEPT tcp — anywhere anywhere tcp dpt:ftp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
try adding
ACCEPT tcp — anywhere anywhere tcp spts:60150:6020
I believe thats the string for S port
other than that, I would have no idea 🙁
I’m Lucas Brey, a travel blogger sharing practical guides, hidden gems, and honest tips from the road. Follow along for smart itineraries, great food finds, and stories worth bookmarking.
Leave a Reply