iptables and vsftpd with ssl

25 Sep 2006 1:21 (Edited: 25 Sep 2006 1:21)

Tweaked vsftpd+ssl to co-operate with iptables today. As it turns out, iptables' ip_nat_ftp and ip_conntrack_ftp cannot (obviously) track encrypted packages, so the connection tracking fails. Since I wanted to force SSL on the ftp server, I had to force the passive traffic to specific ports, and open the ports in iptables.

Adjustments to /etc/sysconfig/iptables:

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED \
-m tcp -p tcp --dport 5120 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED \
-m tcp -p tcp --dport 5121 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 5000:5100 -j ACCEPT

Where 5121 is the connection used for authentication (ie. the port the FTP server listens to), 5120 is the FTP data port (defaults to ftp port minus 1), and the port range 5000-5100 is the one to be used for passive PORT commands.

vsftpd was adjusted to use the newly opened ports for connections and transfers, and to force SSL connections.

/etc/vsftpd/vsftpd.conf:

listen_port=5121
ftp_data_port=5120
pasv_min_port=5000
pasv_max_port=5100

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem

The self signed key for SSL is generated using OpenSSL:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Works like a charm. =)

Tags: encryption  howto  iptables  setup  ssl  vsftpd 

List of my blog entries

• Power consumption of common home electronics devices (19 Nov 2007)
• Downloads more accessible to users with firewalls (25 Jun 2007)
• More download capacity added (28 Feb 2007)
• Fixed problems with blog image scaling functions (20 Jan 2007)
• Further problems with the DB server (updated) (13 Jan 2007)
• Yesterday's problems with the site (12 Jan 2007)
• Bypassing lock code on Nokia phones (27 Dec 2006)
• Replying to feedback mail (24 Jan 2006)
• Windows XP HDD stuck in PIO mode instead of DMA (13 Jan 2006)
• Problems with Windows Update (07 Jan 2006)
• auditd causing crond (cron) and sshd (ssh) to lock up (06 Jan 2006)
• Squeezebox under the microscope (25 Nov 2005)
• And so it begins... (10 Nov 2005)

User comments

• by Jannejt @ 06 Nov 2006 6:19

  sounds nice, what about user management w/ vsftpd, is it easy to create..
  
  (accounts and passwords for ftp..) i dont like to create new user to the system (useradd <.....> -s /bin/nologin or something..), i want mysql table or something like that (can use diff passwd for ftp and diff for login) :-)
  
  must test that ssl+iptables+vsftpd some day =)

• by Ketola @ 13 Nov 2006 3:23

  You can use eg. pam_userdb or pam_pwdfile for authentication. See
  
  ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.5/EXAMPLE/
  
  for more information.

Post your comment

In order to post your comments here, you need be logged in to our system. Simply follow this link in order to login and to post your comments here.