ProFTP and APF Problem

dannygoh

Verified User
Joined
Feb 9, 2004
Messages
391
Location
Malaysia
Hi,

I upgrade the kernel and my ftp is not working anywore. I can login but not list directory.


PHP:
Below is my /var/log/messages
Jun 21 12:16:15 ns1 kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=216.xx.xx.xx DST=219.xx.xx.xx LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=4494 DF PROTO=TCP SPT=20 DPT=63019 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B4)
Jun 21 12:16:18 ns1 kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=216.xx.xx.xx DST=219.xx.xx.xx LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=4496 DF PROTO=TCP SPT=20 DPT=63019 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B4)
Jun 21 12:16:24 ns1 kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=216.xx.xx.xx DST=219.xx.xx.xx LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=4498 DF PROTO=TCP SPT=20 DPT=63019 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B4)
Jun 21 12:16:36 ns1 kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=216.xx.xx.xx DST=219.xx.xx.xx LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=4500 DF PROTO=TCP SPT=20 DPT=63019 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B4)

My APF Conf
PHP:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,2222,2223,3306,8090,3310"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,32769"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,37,43,53,80,110,143,443,2222,3306,8090,3310"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,32769"

# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"

My ProFTP conf
PHP:
ServerName              "ProFTPd"
ServerType              standalone

Port                    21
UseReverseDNS           off
TimeoutLogin            120
TimeoutIdle             600
TimeoutNoTransfer       900
TimeoutStalled          3600
ScoreboardFile                  /var/run/proftpd/proftpd.pid

TransferLog             /var/log/proftpd/xferlog.legacy
LogFormat               default "%h %l %u %t \"%r\" %s %b"
LogFormat               auth    "%v [%P] %h %t \"%r\" %s"
LogFormat               write   "%h %l %u %t \"%r\" %s %b"

#DON'T modify this log format.  Its used by DirectAdmin to determine user usage
LogFormat               userlog "%u %b"
ExtendedLog             /var/log/proftpd/216.xx.xx.xx.bytes WRITE,READ userlog

AuthUserFile                    /etc/proftpd.passwd
DefaultServer           on

AuthPAM off

<Global>
        DeferWelcome            on

        RequireValidShell       no

        DefaultRoot             ~
        DirFakeUser on ftp
        DirFakeGroup on ftp

        User                    ftp
        Group                   ftp
        #UserAlias              anonymous ftp

        AllowStoreRestart       on
        AllowRetrieveRestart    on

        Umask                   022
        DisplayLogin            welcome.msg
        DisplayFirstChdir       readme
        AllowOverwrite          yes
        IdentLookups            off
        ExtendedLog             /var/log/proftpd/access.log WRITE,READ write

        ExtendedLog             /var/log/proftpd/auth.log AUTH auth

        #
        # Paranoia logging level....
        #
        #ExtendedLog    /var/log/proftpd/paranoid.log ALL default

</Global>

Include /etc/proftpd.vhosts.conf
UseReverseDNS off
IdentLookups off
 
The problem is not with APF itself, but rather with iptables.

Let me guess... you just upgraded your kernel on CentOS 4.x, right?

I'm having the same problem.

I'm still investigating, but so far the only way I've been able to restore FTP/SFTP access is by stopping iptables. Obviously, that's not much of a solution.
 
Here's the fix:

/sbin/modprobe ip_conntrack_ftp

Also, you'll want to add "ip_conntrack_ftp" to the set of modules in iptables-config.
 
I don't know why updating the kernel would cause the problem; the fix is simply to let the kernel know to track the connections ftp uses.

I'm guessing there's some security feature added to the new kernels.

Turning off "passive" ftp would work as well, but most of us prefer to allow it since most ftp clients use it by default.

Jeff
 
I tried disabling passive FTP. It didn't work.

Like you said, the source of the problem was probably some security update relating to iptables.
 
Back
Top