Thursday, 07 March 2019 17:42

How to configure passive ports range for ProFTPd on a server behind a firewall?

Written by 
Rate this item
(0 votes)

The PassivePorts directive is used in the file /etc/proftpd.conf to specify a passive ports range.

  1. Connect to the Plesk server via SSH.

  2. Create /etc/proftpd.d/55-passive-ports.conf file using the following command:

    # touch /etc/proftpd.d/55-passive-ports.conf

  3. Edit file /etc/proftpd.d/55-passive-ports.conf in any text editor and place the content below as follows:

    PassivePorts 49152 65535 

    Note: Remove PassivePorts directive from /etc/proftpd.conf file if the directive is defined inside.

  4. Specify ports in /etc/proftpd.d/* files as well, if needed. See the ProFTPd documentation for more information regarding the PassivePorts directive.

  5. Next, the nf_conntrack_ftp module should be loaded into the system:

    # /sbin/modprobe nf_conntrack_ftp

    # lsmod | grep conntrack_ftp 
    nf_conntrack_ftp 13696 0 
    nf_conntrack 61684 1 nf_conntrack_ftp

  6. If Plesk Firewall is installed and enabled, specify the port range according to the KB article Unable to connect to FTP in passive mode.

    If another firewall is used to manage iptables rules, use it to allow the passive ports range.

    Otherwise, make sure that the following line exists in the iptables settings:

    # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  7. If a server is behind the NAT, the nf_nat_ftp module should be loaded:

    # /sbin/modprobe nf_nat_ftp

    In case if FirewallD on CentOS 7 is installed, NAT modules should be added into /etc/modules-load.d/iptables.conf

    # echo nf_nat_ftp >> /etc/modules-load.d/iptables.conf
    # echo nf_conntrack_ftp >> /etc/modules-load.d/iptables.conf

    Note: the action which involves kenel modules configuration should be performed on the barebone hardware or in the virtual machine with full hardware emuation.
    It the container is used, the same actions should be performed on a hardware node side.

  8. To keep the changes after a system reboot, the modules should be added to the IPTABLES_MODULES line in the file /etc/sysconfig/iptables-config as follows:

    # cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
    IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack ip_nat_ftp"

    Note: Because the FTP helper modules must read and modify commands being sent over the command channel, they will not work when the command channel is encrypted through use of TLS/SSL.

  9. If it is required to use TLS/SSL for FTP, the only way is to open required ports. Use Plesk Firewall extension for this, or add the rules using iptables:

    # iptables -I INPUT 2 -p tcp --match multiport --dports 49152:65535 -j ACCEPT
    # service iptables save

    Note: Ports should be opened on all firewalls in the network.

  10. Restart the xinetd service to apply changes:

    # service xinetd restart



Read 2592 times

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.