passive ports

Configure passive ports range for ProFTPd

Usually, if a client is behind firewall, they can only trasfer files via a passive ftp connection.

Edit /etc/proftpd.conf and specify the passive ports range. Place it in the 'Global' container:

# Use the IANA registered ephemeral port range
PassivePorts 49152 65534


Load the ip_conntrack_ftp module and iptables rules, so the ports automatically open to the connected client:

# /sbin/modprobe ip_conntrack_ftp
#  lsmod | grep conntrack_ftp
ip_conntrack_ftp       41489  0
ip_conntrack           91237  4 xt_state,xt_conntrack,ip_conntrack_ftp,ip_conntrack_irc

Add the below iptables rules:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

If the server is beind NAT, ip_nat_ftp module also should be loaded:

# /sbin/modprobe ip_nat_ftp

Syndicate content