Context
I was trying to put vsftpd to work on my VPS. But I wanted the service to allow theĀ use of a web interface, accessable to anonymous users, to browse the ftp folder….something like ftp://blablabla.com, without opening my firewall completely.
Passive FTP
After installing vsftpd, I changed the configuration file to let anonymous users browse the contents only, and local users browse and upload:
listen=YES anonymous_enable=YES local_enable=YES write_enable=YES anon_upload_enable=NO dirmessage_enable=YES xferlog_enable=YES nopriv_user=nobody ftpd_banner=Welcome to andrecardoso.eu FTP chroot_local_user=YES ls_recurse_enable=YES secure_chroot_dir=/var/run/vsftpd pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
This worked just fine, using a FTP client. I had port just had port 21 opened in Iptables and this worked just fine. However, when trying to browse the ftp folder with a common browser, it didn’t work. Apparently, if I’m not mistaken, this happens because of Passive FTP way of opening data ports. So, what was happening was that my firewall was totally blocking my browser.
To solve this, I googled a lot, but every page I visited told my to write some rules, after enabling these iptables modules:
ip_conntrack ip_conntrack_ftp ports
For me, this was not a very good solution, because I was working in a VPS, with no way to enable the modules in question. But finnally I got to a page with another solution, that worked for me 
The solution was to make vsftpd use only a know range of ports for data, and then tell iptables to accept new connections on that range. There’s much more to this, but I don’t know the details.
So, in the vsftpd configuration file, I added:
pasv_max_port=65534 pasv_min_port=49152
And my iptables rules now have the following for FTP:
sudo iptables -I INPUT 6 -p tcp --dport ftp -j ACCEPT sudo iptables -I INPUT 7 -m state --state NEW -p tcp --syn --dport 49152:65534 -j ACCEPT
Folders and permissions
I was using /home/ftp/ as the ftp which was owned by root, with no write permissions for group or others. This was a problem when uploading files, because I was just prevented from creating files in that folder. So I gave write permissions to everyone on that folder. That did not went very well, I got the error:
500 OOPS: vsftpd: refusing to run with writable anonymous root
To solve this, I had to put back the original permissions, and create another folder inside /home/ftp/ which had write permissions for everyone.
References
- http://www.linuxforums.org/forum/servers/13232-iptables-vsftpd.html
- http://esourcehome.com/blog/?tag=iptables
- http://vsftpd.beasts.org/
Post a Comment