Configuring Linux firewalls and routers for vsftp on a non-standard port

Ted Roche tedroche at tedroche.com
Thu Mar 29 13:28:36 EDT 2007


I've got a single-static IP DSL line, using a TDS-supplied DSL "modem"
which in turn is connected to a LinkSys WRT54G router. The "modem" has
all firewall capabilities turned off. The router has the static IP set
on its WAN site, and standard NAT, non-routable Class C 192.168.1.0/24
NAT configured on the LAN side.

The server is running CentOS 4, IPtables, Apache, WebMin, vsftpd. The
server has a fixed IP address of 192.168.1.92. The router has ports 80
and 443 forwarded to the .92 address for http and https, port XXXXX for
WebMin and a non-standard (>1024) port for ssh. I did have port 21
opened for ftp, but the logs were getting full and the machine was
getting dragged down by 60,000+ script-kiddie login attempts a day. So,
I've attempted to move ftp to a non-standard port, and finally got it
resolved, but would welcome some enlightenment about why the changes
were necessary

A Google finally pulled up a RedHat RHEL3 page that describes the
configuration options a bit more friendly than the man page:

http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1-ftp-vsftpd-conf.html

I reconfigured vsftpd to listen on port 8021, reconfigured IPtables via
WebMin to allow traffic on 8021, and changed the port on the LinkSys
router to allow traffic on 8021 and block port 21. Restarted vsftpd and
IPtables. When I issue 'ftp example.com 8021' I am able to log in, But I
can't upload, download or get a directory list, due to an error getting
into "Passive Mode:"

ftp> put example.jpg
local: example.jpg remote: example.jpg
227 Entering Passive Mode (192,168,1,92,67,193)
ftp: connect: No route to host
ftp>

I then added the following to vsftpd.conf, one line at a time until I
got it to work:

# Added 29-Mar-2007 to put vsftpd on a non-standard port
listen_port=8021
pasv_address=aa.bbb.cc.dd
pasv_max_port=8029
pasv_min_port=8023

I also changed the hardware router to forward ports 8023-8029 to the
machine, and IPTables to allow them through.

My question: Why did I have to add the passive address and port range to
the ftp server to get it to work? When it was on the standard ftp port,
it worked fine without the passive address and ports specified.

-- 
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com


More information about the gnhlug-discuss mailing list