Ubuntu 18.04 LTS apply iptables changes FTP/FTPS PASV modeFsockOpen problem with Iptables inside OpenVZ VMUFW/IPTables: after setting default outgoing deny, and port 80 outgoing allow, curl still doesn't workUFW/IPTables: how to securely allow authenticated git access with githubTrying to make iptables stateless is causing unforeseen filteringnginx upstream an ufwiptables outgoing default policy is accept, but some ports appear blockedUFW blocks permitted portsufw & iptables confusionubuntu allow local ip address to connect to other local machine using sshufw deny network rule not working
Computing elements of a 1000 x 60 matrix exhausts RAM
csname in newenviroment
Negative impact of having the launch pad away from the Equator
Does attacking (or having a rider attack) cancel Charge/Pounce-like abilities?
Salesforce bug enabled "Modify All"
Proto-Indo-European (PIE) words with IPA
VHDL: Why is it hard to desgin a floating point unit in hardware?
JavaScript: Access 'this' when calling function stored in variable
Split into three!
A nasty indefinite integral
What does it mean when みたいな is at the end of a sentence?
Existence of a model of ZFC in which the natural numbers are really the natural numbers
Make the `diff` command look only for differences from a specified range of lines
One word for 'the thing that attracts me'?
Why is this integration method not valid?
amsmath: How can I use the equation numbering and label manually and anywhere?
Is it OK to look at the list of played moves during the game to determine the status of the 50 move rule?
Wifi light switch needs neutral wire. Why? AND Can that wire be a skinny one?
What does it mean for something to be strictly less than epsilon for an arbitrary epsilon?
nginx conf: http2 module not working in Chrome in ubuntu 18.04
Find this Unique UVC Palindrome ( ignoring signs and decimal) from Given Fractional Relationship
Is a world with one country feeding everyone possible?
Are there any tips to help hummingbirds find a new feeder?
How would a physicist explain this starship engine?
Ubuntu 18.04 LTS apply iptables changes FTP/FTPS PASV mode
FsockOpen problem with Iptables inside OpenVZ VMUFW/IPTables: after setting default outgoing deny, and port 80 outgoing allow, curl still doesn't workUFW/IPTables: how to securely allow authenticated git access with githubTrying to make iptables stateless is causing unforeseen filteringnginx upstream an ufwiptables outgoing default policy is accept, but some ports appear blockedUFW blocks permitted portsufw & iptables confusionubuntu allow local ip address to connect to other local machine using sshufw deny network rule not working
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am trying to set iptables so a CLIENT computer can use FTP/FTPS with passive mode.
I have already set majority rules by ufw - short extract (skipped listing of IPv6 and other rules for the sake of clarity):
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
21 ALLOW OUT Anywhere # FTP
when I add a rule by ufw:
sudo ufw allow out from any to any port 1025:65535 proto tcp comment "Ephemeral TCP"
Everything works well - a Client can conenct to FTPS and list dir tree + download files.
UFW rules are:
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
21 ALLOW OUT Anywhere # FTP
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
but this rule:
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
has unwanted effect that any communication is allowed form a Client computer to any IP
That's why I wanted to not use it as UFW rule but set iptables instead with this command:
sudo iptables -I OUTPUT 1 -m state --state ESTABLISHED -j ACCEPT
so only outgoing communication to the IP that was previously established is allowed.
so we have UFW rules as in frist listing - without
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
and iptables listing
sudo iptables -L -n --line-numbers
that gives this output:
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
2 ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
3 ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
4 ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
5 ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
6 ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
7 ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
but this does not work and FTPS client can reach server but cant't list dir tree, download any files. The outgoing communication is blocked by UFW
cat /var/log/syslog
gives output:
[UFW BLOCK] IN= OUT=wl0 SRC=192.xxx.xxx.xxx DST=215.xxx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8271 DF PROTO=TCP SPT=43379 DPT=27918 WINDOW=29200 RES=0x00 SYN URGP=0
I tried to issue comands after updating rules of OUTPUT chain in iptables:
sudo iptables-save #echoes all rules, seems not having a problem
sudo iptables-restore #hang ups, needs termination CTRL+C
but it made no difference.
and:
sudo iptables-apply
gives this error:
Error: rulesfile not readable: /etc/network/iptables.up.rules
some questions:
Why adding established rule to the OUTPUT chain in iptables does not make any difference where adding rule to UFW helps?
How to add a rule to iptables so it is allowed to connect to FTP/FTPS server on Ephemeral TCP, but only if the connection is preceded by another one to the same IP.
How to apply a new rule set in iptables so it is persistent and loaded on boot same as UFW rules are?
In general - it is a good idea to use UFW with iptables or should I simply uninstall UFW, and use just iptables instead? I would rather rewrite all UFW rules to iptables if it makes more simple life and good practice than try to combine these tools usage.
ubuntu iptables ftp ufw ftps
asked May 8 at 13:18
JimmixJimmix
1062
add a comment |
I am trying to set iptables so a CLIENT computer can use FTP/FTPS with passive mode.
I have already set majority rules by ufw - short extract (skipped listing of IPv6 and other rules for the sake of clarity):
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
21 ALLOW OUT Anywhere # FTP
when I add a rule by ufw:
sudo ufw allow out from any to any port 1025:65535 proto tcp comment "Ephemeral TCP"
Everything works well - a Client can conenct to FTPS and list dir tree + download files.
UFW rules are:
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
21 ALLOW OUT Anywhere # FTP
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
but this rule:
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
has unwanted effect that any communication is allowed form a Client computer to any IP
That's why I wanted to not use it as UFW rule but set iptables instead with this command:
sudo iptables -I OUTPUT 1 -m state --state ESTABLISHED -j ACCEPT
so only outgoing communication to the IP that was previously established is allowed.
so we have UFW rules as in frist listing - without
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
and iptables listing
sudo iptables -L -n --line-numbers
that gives this output:
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
2 ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
3 ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
4 ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
5 ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
6 ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
7 ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
but this does not work and FTPS client can reach server but cant't list dir tree, download any files. The outgoing communication is blocked by UFW
cat /var/log/syslog
gives output:
[UFW BLOCK] IN= OUT=wl0 SRC=192.xxx.xxx.xxx DST=215.xxx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8271 DF PROTO=TCP SPT=43379 DPT=27918 WINDOW=29200 RES=0x00 SYN URGP=0
I tried to issue comands after updating rules of OUTPUT chain in iptables:
sudo iptables-save #echoes all rules, seems not having a problem
sudo iptables-restore #hang ups, needs termination CTRL+C
but it made no difference.
and:
sudo iptables-apply
gives this error:
Error: rulesfile not readable: /etc/network/iptables.up.rules
some questions:
Why adding established rule to the OUTPUT chain in iptables does not make any difference where adding rule to UFW helps?
How to add a rule to iptables so it is allowed to connect to FTP/FTPS server on Ephemeral TCP, but only if the connection is preceded by another one to the same IP.
How to apply a new rule set in iptables so it is persistent and loaded on boot same as UFW rules are?
In general - it is a good idea to use UFW with iptables or should I simply uninstall UFW, and use just iptables instead? I would rather rewrite all UFW rules to iptables if it makes more simple life and good practice than try to combine these tools usage.
ubuntu iptables ftp ufw ftps
asked May 8 at 13:18
JimmixJimmix
1062
Combining can be painful. But did you look at /etc/ufw/before.rules?
– user188737
May 8 at 15:11
add a comment |
I am trying to set iptables so a CLIENT computer can use FTP/FTPS with passive mode.
I have already set majority rules by ufw - short extract (skipped listing of IPv6 and other rules for the sake of clarity):
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
21 ALLOW OUT Anywhere # FTP
when I add a rule by ufw:
sudo ufw allow out from any to any port 1025:65535 proto tcp comment "Ephemeral TCP"
Everything works well - a Client can conenct to FTPS and list dir tree + download files.
UFW rules are:
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
21 ALLOW OUT Anywhere # FTP
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
but this rule:
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
has unwanted effect that any communication is allowed form a Client computer to any IP
That's why I wanted to not use it as UFW rule but set iptables instead with this command:
sudo iptables -I OUTPUT 1 -m state --state ESTABLISHED -j ACCEPT
so only outgoing communication to the IP that was previously established is allowed.
so we have UFW rules as in frist listing - without
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
and iptables listing
sudo iptables -L -n --line-numbers
that gives this output:
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
2 ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
3 ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
4 ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
5 ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
6 ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
7 ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
but this does not work and FTPS client can reach server but cant't list dir tree, download any files. The outgoing communication is blocked by UFW
cat /var/log/syslog
gives output:
[UFW BLOCK] IN= OUT=wl0 SRC=192.xxx.xxx.xxx DST=215.xxx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8271 DF PROTO=TCP SPT=43379 DPT=27918 WINDOW=29200 RES=0x00 SYN URGP=0
I tried to issue comands after updating rules of OUTPUT chain in iptables:
sudo iptables-save #echoes all rules, seems not having a problem
sudo iptables-restore #hang ups, needs termination CTRL+C
but it made no difference.
and:
sudo iptables-apply
gives this error:
Error: rulesfile not readable: /etc/network/iptables.up.rules
some questions:
Why adding established rule to the OUTPUT chain in iptables does not make any difference where adding rule to UFW helps?
How to add a rule to iptables so it is allowed to connect to FTP/FTPS server on Ephemeral TCP, but only if the connection is preceded by another one to the same IP.
How to apply a new rule set in iptables so it is persistent and loaded on boot same as UFW rules are?
In general - it is a good idea to use UFW with iptables or should I simply uninstall UFW, and use just iptables instead? I would rather rewrite all UFW rules to iptables if it makes more simple life and good practice than try to combine these tools usage.
ubuntu iptables ftp ufw ftps
asked May 8 at 13:18
JimmixJimmix
1062
I am trying to set iptables so a CLIENT computer can use FTP/FTPS with passive mode.
I have already set majority rules by ufw - short extract (skipped listing of IPv6 and other rules for the sake of clarity):
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
21 ALLOW OUT Anywhere # FTP
when I add a rule by ufw:
sudo ufw allow out from any to any port 1025:65535 proto tcp comment "Ephemeral TCP"
Everything works well - a Client can conenct to FTPS and list dir tree + download files.
UFW rules are:
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
21 ALLOW OUT Anywhere # FTP
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
but this rule:
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
has unwanted effect that any communication is allowed form a Client computer to any IP
That's why I wanted to not use it as UFW rule but set iptables instead with this command:
sudo iptables -I OUTPUT 1 -m state --state ESTABLISHED -j ACCEPT
so only outgoing communication to the IP that was previously established is allowed.
so we have UFW rules as in frist listing - without
1025:65535/tcp ALLOW OUT Anywhere # Ephemeral TCP
and iptables listing
sudo iptables -L -n --line-numbers
that gives this output:
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
2 ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
3 ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
4 ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
5 ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
6 ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
7 ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
but this does not work and FTPS client can reach server but cant't list dir tree, download any files. The outgoing communication is blocked by UFW
cat /var/log/syslog
gives output:
[UFW BLOCK] IN= OUT=wl0 SRC=192.xxx.xxx.xxx DST=215.xxx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8271 DF PROTO=TCP SPT=43379 DPT=27918 WINDOW=29200 RES=0x00 SYN URGP=0
I tried to issue comands after updating rules of OUTPUT chain in iptables:
sudo iptables-save #echoes all rules, seems not having a problem
sudo iptables-restore #hang ups, needs termination CTRL+C
but it made no difference.
and:
sudo iptables-apply
gives this error:
Error: rulesfile not readable: /etc/network/iptables.up.rules
some questions:
Why adding established rule to the OUTPUT chain in iptables does not make any difference where adding rule to UFW helps?
How to add a rule to iptables so it is allowed to connect to FTP/FTPS server on Ephemeral TCP, but only if the connection is preceded by another one to the same IP.
How to apply a new rule set in iptables so it is persistent and loaded on boot same as UFW rules are?
In general - it is a good idea to use UFW with iptables or should I simply uninstall UFW, and use just iptables instead? I would rather rewrite all UFW rules to iptables if it makes more simple life and good practice than try to combine these tools usage.
ubuntu iptables ftp ufw ftps
ubuntu iptables ftp ufw ftps
asked May 8 at 13:18
JimmixJimmix
1062
asked May 8 at 13:18
JimmixJimmix
1062
asked May 8 at 13:18
JimmixJimmix
1062
asked May 8 at 13:18
JimmixJimmix
1062
asked May 8 at 13:18
JimmixJimmix
1062
1062
Combining can be painful. But did you look at /etc/ufw/before.rules?
– user188737
May 8 at 15:11
add a comment |
Combining can be painful. But did you look at /etc/ufw/before.rules?
– user188737
May 8 at 15:11
Combining can be painful. But did you look at /etc/ufw/before.rules?
– user188737
May 8 at 15:11
Combining can be painful. But did you look at /etc/ufw/before.rules?
– user188737
May 8 at 15:11
add a comment |
1 Answer
1
active
oldest
votes
FTP passive mode needs connections to ephemeral ports on the FTP server since the actual data transfer is done over different TCP connections.
You could try with some FTP helper (ip_conntrack_ftp) which inspects the FTP control channel and extracts the ports to only open these connections. But this will usually not work with implicit FTPS (port 990) since the control channel is encrypted. And while explicit FTPS (port 21) supports to encrypt the control channel only for authentication not all FTP clients support this behavior - which again makes use of an FTP helper impossible.
In short: don't use FTP. It is a terrible protocol if NAT or firewalls are involved. Use SFTP instead (i.e. file transfer over SSH) which is a completely different protocol and only needs a single port (22) too.
answered May 8 at 14:59
Steffen UllrichSteffen Ullrich
8,8771529
I'm using (currently) explicit TLS in FTPS, Unlucky I'm not able to make a choice weather to use FTP(S) or not since it is defined at the server out of my control. I'm far away from using the FTP itself. In majority cases from a CLIENT point of view you aren't decision maker about use of FTP or not at the server so you either bend yours system the way you'll download data or you'll end up not having the data. I will try the FTP helper and let you know if it helped.
– Jimmix
May 8 at 15:11
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966386%2fubuntu-18-04-lts-apply-iptables-changes-ftp-ftps-pasv-mode%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
FTP passive mode needs connections to ephemeral ports on the FTP server since the actual data transfer is done over different TCP connections.
You could try with some FTP helper (ip_conntrack_ftp) which inspects the FTP control channel and extracts the ports to only open these connections. But this will usually not work with implicit FTPS (port 990) since the control channel is encrypted. And while explicit FTPS (port 21) supports to encrypt the control channel only for authentication not all FTP clients support this behavior - which again makes use of an FTP helper impossible.
In short: don't use FTP. It is a terrible protocol if NAT or firewalls are involved. Use SFTP instead (i.e. file transfer over SSH) which is a completely different protocol and only needs a single port (22) too.
answered May 8 at 14:59
Steffen UllrichSteffen Ullrich
8,8771529
I'm using (currently) explicit TLS in FTPS, Unlucky I'm not able to make a choice weather to use FTP(S) or not since it is defined at the server out of my control. I'm far away from using the FTP itself. In majority cases from a CLIENT point of view you aren't decision maker about use of FTP or not at the server so you either bend yours system the way you'll download data or you'll end up not having the data. I will try the FTP helper and let you know if it helped.
– Jimmix
May 8 at 15:11
add a comment |
FTP passive mode needs connections to ephemeral ports on the FTP server since the actual data transfer is done over different TCP connections.
You could try with some FTP helper (ip_conntrack_ftp) which inspects the FTP control channel and extracts the ports to only open these connections. But this will usually not work with implicit FTPS (port 990) since the control channel is encrypted. And while explicit FTPS (port 21) supports to encrypt the control channel only for authentication not all FTP clients support this behavior - which again makes use of an FTP helper impossible.
In short: don't use FTP. It is a terrible protocol if NAT or firewalls are involved. Use SFTP instead (i.e. file transfer over SSH) which is a completely different protocol and only needs a single port (22) too.
answered May 8 at 14:59
Steffen UllrichSteffen Ullrich
8,8771529
I'm using (currently) explicit TLS in FTPS, Unlucky I'm not able to make a choice weather to use FTP(S) or not since it is defined at the server out of my control. I'm far away from using the FTP itself. In majority cases from a CLIENT point of view you aren't decision maker about use of FTP or not at the server so you either bend yours system the way you'll download data or you'll end up not having the data. I will try the FTP helper and let you know if it helped.
– Jimmix
May 8 at 15:11
add a comment |
FTP passive mode needs connections to ephemeral ports on the FTP server since the actual data transfer is done over different TCP connections.
You could try with some FTP helper (ip_conntrack_ftp) which inspects the FTP control channel and extracts the ports to only open these connections. But this will usually not work with implicit FTPS (port 990) since the control channel is encrypted. And while explicit FTPS (port 21) supports to encrypt the control channel only for authentication not all FTP clients support this behavior - which again makes use of an FTP helper impossible.
In short: don't use FTP. It is a terrible protocol if NAT or firewalls are involved. Use SFTP instead (i.e. file transfer over SSH) which is a completely different protocol and only needs a single port (22) too.
answered May 8 at 14:59
Steffen UllrichSteffen Ullrich
8,8771529
FTP passive mode needs connections to ephemeral ports on the FTP server since the actual data transfer is done over different TCP connections.
You could try with some FTP helper (ip_conntrack_ftp) which inspects the FTP control channel and extracts the ports to only open these connections. But this will usually not work with implicit FTPS (port 990) since the control channel is encrypted. And while explicit FTPS (port 21) supports to encrypt the control channel only for authentication not all FTP clients support this behavior - which again makes use of an FTP helper impossible.
In short: don't use FTP. It is a terrible protocol if NAT or firewalls are involved. Use SFTP instead (i.e. file transfer over SSH) which is a completely different protocol and only needs a single port (22) too.
answered May 8 at 14:59
Steffen UllrichSteffen Ullrich
8,8771529
answered May 8 at 14:59
Steffen UllrichSteffen Ullrich
8,8771529
answered May 8 at 14:59
Steffen UllrichSteffen Ullrich
8,8771529
answered May 8 at 14:59
Steffen UllrichSteffen Ullrich
8,8771529
8,8771529
I'm using (currently) explicit TLS in FTPS, Unlucky I'm not able to make a choice weather to use FTP(S) or not since it is defined at the server out of my control. I'm far away from using the FTP itself. In majority cases from a CLIENT point of view you aren't decision maker about use of FTP or not at the server so you either bend yours system the way you'll download data or you'll end up not having the data. I will try the FTP helper and let you know if it helped.
– Jimmix
May 8 at 15:11
add a comment |
I'm using (currently) explicit TLS in FTPS, Unlucky I'm not able to make a choice weather to use FTP(S) or not since it is defined at the server out of my control. I'm far away from using the FTP itself. In majority cases from a CLIENT point of view you aren't decision maker about use of FTP or not at the server so you either bend yours system the way you'll download data or you'll end up not having the data. I will try the FTP helper and let you know if it helped.
– Jimmix
May 8 at 15:11
I'm using (currently) explicit TLS in FTPS, Unlucky I'm not able to make a choice weather to use FTP(S) or not since it is defined at the server out of my control. I'm far away from using the FTP itself. In majority cases from a CLIENT point of view you aren't decision maker about use of FTP or not at the server so you either bend yours system the way you'll download data or you'll end up not having the data. I will try the FTP helper and let you know if it helped.
– Jimmix
May 8 at 15:11
I'm using (currently) explicit TLS in FTPS, Unlucky I'm not able to make a choice weather to use FTP(S) or not since it is defined at the server out of my control. I'm far away from using the FTP itself. In majority cases from a CLIENT point of view you aren't decision maker about use of FTP or not at the server so you either bend yours system the way you'll download data or you'll end up not having the data. I will try the FTP helper and let you know if it helped.
– Jimmix
May 8 at 15:11
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966386%2fubuntu-18-04-lts-apply-iptables-changes-ftp-ftps-pasv-mode%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Combining can be painful. But did you look at /etc/ufw/before.rules?
– user188737
May 8 at 15:11