Yet another adventure in Linux land. This time, it was largely due to issues with iptables.
First of all, installing vsftpd was rather easy. Issuing aptitude install vsftpd with superuser privileges was all. Configuration didn’t take all that much work either, but it dragged on due to this being my first time and having to look up the manual.
The configuration for vsftpd is located at
/etc/vsftpd.conf. Out of the box, vsftp allows anonymous read access. The first order of the day was to disable that by changing the variable.
Users in vsftpd can either be local accounts, or vsftpd specific ones. I used local accounts to save myself the hassle since all my local accounts have their permissions set correctly already and what not.
By default, all user accounts (including local) are only granted read access. Adding the following line enables write and modify permissions.
At this stage. vsftpd is configured and ready to run. However, if you’re behind a firewall, some additional configuration needs to be done to allow vsftp listen and pass through it. To the novice who is inexperienced with iptables like myself, this turned out to be quite an adventure. Before we get to that however, it is imperative to understand how FTP works.
FTP works in two modes, active and passive. A detailed and extremely useful explanation of the difference between the two can be found on http://slacksite.com/other/ftp.html. Briefly, in active FTP, the client initiates a connection to the listening server’s control port, and when data transfer is required, the client opens up a port and lets the server know via the control channel which port on the client side to send the data to. Thus, it requires the client open a port in the listening state. This doesn’t quite work if the client is behind a firewall or NAT. In passive FTP, the client initiates the connection to the server’s control port. The server then dynamically opens up another port and lets the client know this port number via the control channel. The client would then initiate a connection to this port for data transfer. In summary, active FTP requires an open port on both the client and server side, and passive ftp requires two open ports on the server side while none on the client’s.
While the server listens on port 21 constantly for incoming connections, and we can specify that as such in the firewall, the dynamically created port creates an issue since it’s open only when required, and is usually a random port in a port range. Having all these ports constantly open is not feasible as it’d be a security issue. To get around this, the firewall has to be stateful react accordingly.
Two things need to be done. First, add the stateful rule in iptables.
-A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
Next, we’re going have to enable the module that allows connection tracking for FTP so that our stateful rule would work. This can be done simply by running
modprobe ip_conntrack_ftp as superuser. In order to make command permanent however, we need to add it to the
/etc/modules file so that it runs on startup.
Took a bit of work, but we now have a fully functional FTP server. My adventures in Linux land continues.