Tweaked vsftpd+ssl to co-operate with iptables today. As it turns out, iptables' ip_nat_ftp and ip_conntrack_ftp cannot (obviously) track encrypted packages, so the connection tracking fails. Since I wanted to force SSL on the ftp server, I had to force the passive traffic to specific ports, and open the ports in iptables.
Adjustments to /etc/sysconfig/iptables:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED \
-m tcp -p tcp --dport 5120 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED \
-m tcp -p tcp --dport 5121 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 5000:5100 -j ACCEPT
Where 5121 is the connection used for authentication (ie. the port the FTP server listens to), 5120 is the FTP data port (defaults to ftp port minus 1), and the port range 5000-5100 is the one to be used for passive PORT commands.
vsftpd was adjusted to use the newly opened ports for connections and transfers, and to force SSL connections.
/etc/vsftpd/vsftpd.conf:
listen_port=5121
ftp_data_port=5120
pasv_min_port=5000
pasv_max_port=5100
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
The self signed key for SSL is generated using OpenSSL:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Works like a charm. =)
sounds nice, what about user management w/ vsftpd, is it easy to create..
(accounts and passwords for ftp..) i dont like to create new user to the system (useradd <.....> -s /bin/nologin or something..), i want mysql table or something like that (can use diff passwd for ftp and diff for login) :-)
must test that ssl+iptables+vsftpd some day =)
