[CentOS] OT: Proftpd and Iptables

Fri Sep 16 03:47:01 UTC 2005
Ed Morrison <edward.morrison at gmail.com>

Hi Peoples,

I'm still beating my head with the Proftpd although I have solved my 
orininal issue.  That turned out to be an iptables issue and I'm 
beginning to wonder if iptables is playing with me again.  I have an FTP 
server that allows anonymous downloads and with specific accounts able 
to upload to the anonymous directory.  The problem is, those users 
cannot upload.  I have attached my proftpd conf file and my iptables for 
those willing to take a look and provide some feedback:

Thanks for any feedback.



Iptables:

#!/bin/bash

# Make sure modules are loaded
insmod ip_tables
insmod ip_conntrack
insmod ip_conntrack_ftp
insmod ipt_state

# Flush any existing rules
iptables -F

# Block x.x.x.x/x.x.x.x
iptables -A INPUT -s 194.150.236.171  -j DROP
iptables -A INPUT -s 213.193.230.2    -j DROP
iptables -A INPUT -s 205.134.230.2    -j DROP
iptables -A INPUT -s 201.15.13.42     -j DROP
iptables -A INPUT -s 61.100.12.125    -j DROP
iptables -A INPUT -s 193.136.200.48   -j DROP
iptables -A INPUT -s 61.218.41.152    -j DROP
iptables -A INPUT -s 61.183.22.0/24   -j DROP
iptables -A INPUT -s 80.228.206.0/24  -j DROP
iptables -A INPUT -s 67.94.106.0/24   -j DROP




# Allow other traffic
# iptables -A INPUT -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT


iptables -A INPUT  -p icmp              -m state --state 
ESTABLISHED,RELATED        -j ACCEPT
iptables -A INPUT  -p tcp --sport 21    -m state --state 
ESTABLISHED                -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21    -m state --state 
NEW,ESTABLISHED            -j ACCEPT
iptables -A OUTPUT -p icmp              -m state --state 
NEW,ESTABLISHED,RELATED    -j ACCEPT

#Drop all other traffic
#iptables -A INPUT -j DROP



Proftpd conf:

AuthPAMAuthoritative            on
IdentLookups                    off
UseReverseDNS                   off
Port                            21
Umask                           022
ListOptions                     "-a"
AllowRetrieveRestart            on
AllowStoreRestart               on
MaxInstances                    20
User                            nobody
Group                           nobody
ScoreboardFile                  /var/run/proftpd.score

<Global>
  AllowOverwrite                       yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
</Global>
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"
TransferLog                     /var/log/proftpd/xferlog
ExtendedLog                     /var/log/proftpd/access.log WRITE,READ
ExtendedLog                     /var/log/proftpd/auth.log AUTH auth

UseFTPUsers                     off

<Anonymous /var/ftp/pub>
AnonRequirePassword             on
User                            gps
Group                           gps
#DefaultChdir                    /var/ftp/pub/
RequireValidShell               off
<Limit STOR>
  AllowAll
</Limit>
<Limit WRITE>
  AllowAll
</Limit>
</Anonymous>

<Anonymous ~ftp>
User                            ftp
Group                           ftp
AccessGrantMsg                  "Anonymous login ok, restrictions apply."
UserAlias                       anonymous ftp
DefaultChdir                    /pub/
RequireValidShell               off
AnonRequirePassword             off
  <Limit LOGIN>
    AllowAll
  </Limit>
  <Limit WRITE>
    DenyAll
  </Limit>
  <Limit STOR>
    DenyAll
  </Limit>
  <Limit READ>
    AllowAll
  </Limit>
</Anonymous>