happymaster23
2009-Jan-26 16:43 UTC
[CentOS] ProFTPd under CentOS 5.2 running FTPS - iptables problem
Hello, I am setting up ProFTPd daemon (from EPEL repository) under CentOS 5.2 and I need encrypted connection. Daemon is configured perfectly, there is no problem - if iptables is off connection is smoothly established, but when iptables is on, connection in FTP client ends on command LIST without response. Last command with response (positive) is PASV. Thank you for your replies Martin ??astn?
German Andres Pulido
2009-Jan-26 17:15 UTC
[CentOS] ProFTPd under CentOS 5.2 running FTPS - iptables problem
> Hello, > > I am setting up ProFTPd daemon (from EPEL repository) under CentOS 5.2 > and I need encrypted connection. Daemon is configured perfectly, there > is no problem - if iptables is off connection is smoothly established, > but when iptables is on, connection in FTP client ends on command LIST > without response. Last command with response (positive) is PASV. > > Thank you for your replies > Martin ??astn? > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosHi! The issue is probably with the way FTP is handled. I see two possible solutions: 1. Use the ip_conntrack_ftp module of IPtables. What this does is setting iptables aware that the data FTP connection should also be allowed since it's related to the original one on port 21. Google for more info on it (and the exact module name) 2. If you only need encrypted traffic, using SFTP makes sense. It only uses the port 22 (It's a subsystem of SSH) and its encryption is very good. Regards.
happymaster23
2009-Jan-26 17:48 UTC
[CentOS] ProFTPd under CentOS 5.2 running FTPS - iptables problem
Thank you, I will check it. But - is this only possible solution? SFTP I am using only for administration purposes (yeah, it is quite easy to set it up :-D) and it?s better for me, to make FTPS for customers and SFTP only for me. 2009/1/26 German Andres Pulido <gpulido at gtscolombia.com>:>> Hello, >> >> I am setting up ProFTPd daemon (from EPEL repository) under CentOS 5.2 >> and I need encrypted connection. Daemon is configured perfectly, there >> is no problem - if iptables is off connection is smoothly established, >> but when iptables is on, connection in FTP client ends on command LIST >> without response. Last command with response (positive) is PASV. >> >> Thank you for your replies >> Martin ??astn? >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos > > Hi! > > The issue is probably with the way FTP is handled. I see two possible > solutions: > > 1. Use the ip_conntrack_ftp module of IPtables. What this does is setting > iptables aware that the data FTP connection should also be allowed since it's > related to the original one on port 21. Google for more info on it (and the > exact module name) > > 2. If you only need encrypted traffic, using SFTP makes sense. It only uses > the port 22 (It's a subsystem of SSH) and its encryption is very good. > > Regards. >
Les Mikesell
2009-Jan-26 18:24 UTC
[CentOS] ProFTPd under CentOS 5.2 running FTPS - iptables problem
happymaster23 wrote:> Thank you, > > I will check it. But - is this only possible solution? > > SFTP I am using only for administration purposes (yeah, it is quite > easy to set it up :-D) and it?s better for me, to make FTPS for > customers and SFTP only for me.If you control the other end as well, why not use scp or rsync over ssh which are easier to script anyway? -- Les Mikesell lesmikesell at gmail.com
happymaster23
2009-Jan-26 19:49 UTC
[CentOS] ProFTPd under CentOS 5.2 running FTPS - iptables problem
You know, because I am to lazy. All users has shell /sbin/nologin and all security this are set to only one account via SSH. I am normally providing FTP access for users and is much easier to give them secured FTP than other method (SFTP) imcompatible with FTP. I have an idea - if I use CentOS native FTP daemon (vsFTPd I think), will there be any change or there is no sense? Thank you very much 2009/1/26 Les Mikesell <lesmikesell at gmail.com>:> happymaster23 wrote: >> Thank you, >> >> I will check it. But - is this only possible solution? >> >> SFTP I am using only for administration purposes (yeah, it is quite >> easy to set it up :-D) and it?s better for me, to make FTPS for >> customers and SFTP only for me. > > If you control the other end as well, why not use scp or rsync over ssh > which are easier to script anyway? > > -- > Les Mikesell > lesmikesell at gmail.com > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >