Linux, FTP and iptables... Are you ready?

Recently, I decided to change my primary development method using my smartphone. I was using a SSH client (iSSH, to be specific) to connect to my Linux server and doing all my development from that terminal. When I rediscovered Nimbus+ editor, I noticed it's FTP support; idea of writing my code using Nimbus+ over FTP seemed to be a perfect solution. After I decided to setup an FTP server, it took a long time for me to figure out why I couldn't see my files from Nimbus+. So, in this post I will explain how to setup a FTP server and configure iptables for FTP traffic.
We have a couple of choice for FTP server; my favorites are vsftpd and ProFTPD, and for this post I'll use the latter. First, we need to install proftpd using our Linux distro's Package manager. I'm using CentOS, so I install proftpd using yum:
sudo yum install proftpd
I'm not going to explain the configuration of ProFTPD, because the online documentation is sufficient for most cases. We will be using default FTP port 21 (default of ProFTPD), unlike most old-school system admins I think it's redundant to change the port to a higher one from security point of view. Instead, we should use connection tracking to statefully manage FTP traffic. But let's add a rule to accept incoming traffic on port 21:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
If your OUTPUT chain's default policy is DROP, then you should add a role to accept outgoing traffic from the default FTP data port 20:
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
Actually, this is enough for active FTP settings; but if we need to use passive FTP (as this is the case with Nimbus+'s FTP support), to cope with more complex rules passive mode needs we should use the ip_conntrack_ftp module to simplify our work. modprobe command can be used, but when iptables stop it's unloaded. So, to ensure the loading of ip_conntrack_ftp; open the file /etc/sysconfig/iptables-conf with your favorite text editor, then modify the IPTABLES_MODULES line like this:
IPTABLES_MODULES="ip_conntrack_ftp"
After saving and exiting, now you should save your iptables and restart it for our changes to take effect:
service iptables save
service iptables restart
And, voila! Now you can easily access your files using any FTP client.
Note: Unless we configure iptables to support passive FTP; we cannot see our files (see only an empty directory listing), if our FTP client is using passive mode.
Some useful resources:

Comments

Popular Posts