*Outgoing* FTP connections failing with CSF firewall enabled

device68

Registered
Oct 15, 2019
2
0
1
London
cPanel Access Level
Root Administrator
Hi

Wondering if you can help. I've tried my web host but they seem unable to provide any useful response to what might be going on, and I have tried everything I'm capable of including some guides I have read here.

The server is running Centos 7.7 Virtuozzo with cPanel/WHM version 82.0.16

The server is using CSF firewall and I believe IPTABLES is also installed although I'm not sure if this has much relevance to the issue I'll describe.

I have a site that periodically sends files over standard FTP to remote servers using PHP. This all worked perfectly for years until I moved to the new server (which is near identical set-up to the old one, including firewall settings), but have recently found that rather randomly, connections to remote servers would fail and then on repeated upload attemtps randomly work.

In using my own local server as a test I noted that Filezilla was presenting a "Data connection can't be established" message which I suspect is what the other remote server had also generated, albeit randomly.

As such - and most recently - I changed the script to specifically use a 'passive' connection which from what I have read seems to be the ideal way to go in order to at least avoid the above message. This is the current set-up I'm sticking with.

However the server seems to be blocking the connection

I've checked the CSF firewall configuration both via WHM and command line "nano /etc/csf/csf.conf" and currently these ports are set:

CSF Firewall Config

Code:
# Allow incoming TCP ports
TCP_IN = "20,21,22,2211,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,8443,49152:65534,30000:35000"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,2211,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"

# Allow incoming UDP ports
UDP_IN = "20,21,53"
Note: the last entry 30000:35000 in TCP_IN was added by CSF after I tried it's "Fix common problems" option.

I also checked PureFTPd config "nano /var/cpanel/conf/pureftpd/main " which has the following settings:

I have not touched the main.cache file.

PureFTP Config

Code:
AllowAnonymousFXP: 'no'
AllowUserFXP: 'no'
AltLog: xferlog:/etc/apache2/logs/domlogs/ftpxferlog
AnonymousCanCreateDirs: 'no'
AnonymousCantUpload: 'yes'
AnonymousOnly: 'no'
AntiWarez: 'yes'
AutoRename: 'no'
Bind: 21
BrokenClientsCompatibility: 'no'
ChrootEveryone: 'yes'
CustomerProof: 'yes'
Daemonize: 'No'
DisplayDotFiles: 'no'
DontResolve: 'yes'
ExtAuth: /var/run/ftpd.sock
LimitRecursion: 10000 8
MaxClientsNumber: 200
MaxClientsPerIP: 8
MaxDiskUsage: 99
MaxIdleTime: 3600
MaxLoad: 4
MinUID: 100
NoAnonymous: 'yes'
PassivePortRange: 49152 65534
ProhibitDotFilesRead: 'no'
ProhibitDotFilesWrite: 'no'
RootPassLogins: 'yes'
SyslogFacility: ftp
TLS: 1
TLSCipherSuite: HIGH
Umask: 133:022
VerboseLog: 'no'
Note: I'm not sure if the server is or isn't behind a NAT, not that I understand what this even means, but did try the ForcePassiveIP configuration option, but this seemed to make no difference to the outcome.

Lastly I checked IPTABLES configuration "nano /etc/sysconfig/iptables" which has simular entries to what was suggested here:


IPTABLES config

Code:
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 49152:65534 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 30000:35000 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
Note: As a test I added the second line of the code above purely because CSF added these extra ports to the firewall. I understand that these ports are probably defuct.

Now, with all of these being set, trying to upload files via the server basically fails, however if I turn the CSF firewall off, or add the remote server IP to the firewall, files transfer over passive like normal.

This leads me to assume something within the Firewall config is doing this, but what?

As far as I'm aware the Firewall settings are allowing connections, but hoping someone here can shed some light on what's happening and what else I can try to resolve this WITH the firewall active.

Remote FTP Server log

If it's of any help, below is an FTP log extract which shows the connection that works and one that just fails.

Code:
> Connected on port 21, sending welcome message...
> USER feeds
> 331 Password required for feeds
> PASS *************
> 230 Logged on
> PASV
> 227 Entering Passive Mode (94,9,102,218,11,202)
> TYPE I
> 200 Type set to I
> STOR 358.zip
> 150 Opening data channel for file upload to server of "/358.zip"
> 226 Successfully transferred "/358.zip"
> QUIT
> 221 Goodbye
> disconnected.

> Connected on port 21, sending welcome message...
> USER feeds
> 331 Password required for feeds
> PASS *************
> 230 Logged on
> PASV
> 227 Entering Passive Mode (94,9,102,218,15,92)
> TYPE I
> 200 Type set to I
> QUIT
> 221 Goodbye
> disconnected.
Just to be clear. If leaving the script to connect by default in 'Active' mode when making FTP connections, with the firewall on, the upload works intermittently, forcing Passive just doesn't work at all for any server it's try to connect with.

Cheers
 
Last edited:

device68

Registered
Oct 15, 2019
2
0
1
London
cPanel Access Level
Root Administrator
*UPDATE*

It seems I've managed to largely solve the issue by adding the following:

First it looks like what was needed to ultimately get connections working, was to add the passive ports in the TCP_OUT box.

CSF Config now looks like:

Code:
# Allow incoming TCP ports
TCP_IN = "20,21,22,2211,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,8443,49152:65534,30000:50000"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,2211,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703,49152:65534,30000:50000"
I removed the previously mentioned entry to IP tables and left this as it was by default as further tests found this had no affect.

Lastly I updated PureFTP Config to included the lower limit for the ports so it has a wider range:

Code:
PassivePortRange: 30000 65534
Although the lower range of 30000 - 50000 wasn't needed to solve the problem with the tests I was running (the issue was the missing 49152:65534), I've factored them in just incase some servers are querying a port in the lower limit. No idea if that's even a valid point, but no major harm I guess.

Overall this may seem reasonably obvious. I had looked at the TCP_OUT field a number of times and did feel that maybe something needed to go there as the regular ports were present, but I only recently found an ariticle that stipulated the passive ports should go there as well just as a general rule of setting up Passive FTP with CSF. Most other articles just focused on the TCP_IN field. Having said that I think most people are concerned with connecting to their server via FTP, and not specifically sending data out via FTP as in my case.

Anyway, hopefully this helps someone trying the same thing as me.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
The Passive Ports you added later are indeed the correct Passive ports - what's in CSF should match the default for FTP in /etc/pure-ftpd.conf (or pro if you're using that) I am glad to see you resolved that though and thanks for updating with the solution!