Web Hosting Talk






PDA

View Full Version : plesk and iptables

sexshun
02-08-2006, 01:27 AM
I just got a box with plesk and was wondering if anyone had any issues with their ftp server with iptables on.

FTP transfers are slow and just to bring up a directory listing takes like 5 seconds. When I disable iptables everything works fine.

This are the rules in my iptables right now that were set by default.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 60000:65000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibite


Anyone see anything that could be causing my issue.
jbwebhosting
02-08-2006, 09:24 AM
Find your proftpd.conf file, and scroll down to the section that says:
<Directory /usr/local/psa/home/vhosts>
GroupOwner psacln
</Directory>
Change it to look like this instead:


<Directory /usr/local/psa/home/vhosts>
GroupOwner psacln
HideNoAccess On
HideGroup root
</Directory>
jbwebhosting
02-08-2006, 09:32 AM
Sorry, i submit wrong :)

add the following to /etc/proftp.include

IdentLookups off
UseReverseDNS off
Quotas on
AllowStoreRestart on
AllowRetreiveRestart on
TimeoutNo Transfer 900
TimeoutIdle 1800

Please disregard my first post...im sleepy ;)
jbwebhosting
02-08-2006, 09:35 AM
also, it might be proftp.conf instead cause the .include might get reset by plesk from time to time
sexshun
02-08-2006, 11:46 AM
Thanks for the reply, i have added those values to the end of my .conf file and I still have the issue. Wanted to let you know I had like half of those already set by default to what you specified.

Do you really think its the ftp? Do you think I need to add some passive ports and forward those in my firewall?

EDIT: I think i fixed the problem, I added the values "PassivePorts 60000 65000" to my conf file since those were already being forwarded in my firewall and that seems to have cured the problem.