FTP not working in passive mode – proftpd, iptables and ISPconfig

If you are using proftpd FTP server together with iptables firewall, which is the case if you for example are using ISPconfig, you will probably have problems using FTP against your server in passive mode. The problem is that the iptables firewall will not allow the incoming connections in passive mode.

The solution is to configure proftpd to use a small, defined range of incoming ports and open iptables for this range.

1. Edit /etc/proftpd/proftpd.conf and uncomment the line #PassivePorts. If you are using VirtualHost (which is the case if you are running proftpd with ISPconfig), you must set the <global> and </global> tag around this line.

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534
PassivePorts                    50000 50030

2. If you are using ISPconfig it can be a good idea to also put the following lines inside the <global> and </global> tags as they otherwise will not affect your VirtualHost that ISPconfig has set up for you.

# If set on you can experience a longer connection delay in many cases.
IdentLookups                    off
DefaultRoot ~
ServerIdent on "FTP Server ready."

3. Restart proftpd by issuing the command:

# /etc/init.d/proftpd restart

4. Edit you iptables config so it includes the following:

iptables -A INPUT -p tcp -m tcp --dport 50000:50030 -j ACCEPT

5. Reload iptables

6. Test

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

eleven + 3 =