CentOS - Jan 2009 - ProFTPd under CentOS 5.2 running FTPS - iptables problem

Hello,

I am setting up ProFTPd daemon (from EPEL repository) under CentOS 5.2
and I need encrypted connection. Daemon is configured perfectly, there
is no problem - if iptables is off connection is smoothly established,
but when iptables is on, connection in FTP client ends on command LIST
without response. Last command with response (positive) is PASV.

Thank you for your replies
Martin ??astn?

> Hello,
>
> I am setting up ProFTPd daemon (from EPEL repository) under CentOS 5.2
> and I need encrypted connection. Daemon is configured perfectly, there
> is no problem - if iptables is off connection is smoothly established,
> but when iptables is on, connection in FTP client ends on command LIST
> without response. Last command with response (positive) is PASV.
>
> Thank you for your replies
> Martin ??astn?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Hi!

The issue is probably with the way FTP is handled. I see two possible 
solutions:

1. Use the ip_conntrack_ftp module of IPtables. What this does is setting 
iptables aware that the data FTP connection should also be allowed since
it's
related to the original one on port 21. Google for more info on it (and the 
exact module name)

2. If you only need encrypted traffic, using SFTP makes sense. It only uses 
the port 22 (It's a subsystem of SSH) and its encryption is very good.

Regards.

Thank you,

I will check it. But - is this only possible solution?

SFTP I am using only for administration purposes (yeah, it is quite
easy to set it up :-D) and it?s better for me, to make FTPS for
customers and SFTP only for me.

2009/1/26 German Andres Pulido <gpulido at
gtscolombia.com>:
>> Hello,
>>
>> I am setting up ProFTPd daemon (from EPEL repository) under CentOS 5.2
>> and I need encrypted connection. Daemon is configured perfectly, there
>> is no problem - if iptables is off connection is smoothly established,
>> but when iptables is on, connection in FTP client ends on command LIST
>> without response. Last command with response (positive) is PASV.
>>
>> Thank you for your replies
>> Martin ??astn?
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> Hi!
>
> The issue is probably with the way FTP is handled. I see two possible
> solutions:
>
> 1. Use the ip_conntrack_ftp module of IPtables. What this does is setting
> iptables aware that the data FTP connection should also be allowed since
it's
> related to the original one on port 21. Google for more info on it (and the
> exact module name)
>
> 2. If you only need encrypted traffic, using SFTP makes sense. It only uses
> the port 22 (It's a subsystem of SSH) and its encryption is very good.
>
> Regards.
>

happymaster23 wrote:
> Thank you,
> 
> I will check it. But - is this only possible solution?
> 
> SFTP I am using only for administration purposes (yeah, it is quite
> easy to set it up :-D) and it?s better for me, to make FTPS for
> customers and SFTP only for me.
If you control the other end as well, why not use scp or rsync over ssh 
which are easier to script anyway?

-- 
   Les Mikesell
    lesmikesell at gmail.com

You know, because I am to lazy. All users has shell /sbin/nologin and
all security this are set to only one account via SSH. I am normally
providing FTP access for users and is much easier to give them secured
FTP than other method (SFTP) imcompatible with FTP.

I have an idea - if I use CentOS native FTP daemon (vsFTPd I think),
will there be any change or there is no sense?

Thank you very much

2009/1/26 Les Mikesell <lesmikesell at gmail.com>:
> happymaster23 wrote:
>> Thank you,
>>
>> I will check it. But - is this only possible solution?
>>
>> SFTP I am using only for administration purposes (yeah, it is quite
>> easy to set it up :-D) and it?s better for me, to make FTPS for
>> customers and SFTP only for me.
>
> If you control the other end as well, why not use scp or rsync over ssh
> which are easier to script anyway?
>
> --
>   Les Mikesell
>    lesmikesell at gmail.com
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>