I set out tonight to rebuild the websites, and instead discovered a wee little gotcha in firewalling.
It seems that ftp builds not one but two connections, one for control and one for data. (It’s an old protocol, and security didn’t matter when everyone knew everyone).. Go see a book for the details, but the end result is that plain vanilla IPtables will NOT recognize the second connection (data) as RELATED to the first. Bill McCarty in Linux Firewalls, which I have been relying on seems to have made the same mistake.
I don’t have an ftp server inside the firewall, but we need to both upload and download to other servers. If you just enable port 21 –state NEW, you can start the session, but die on the PORT command.
I went googling, and sure enough the maintainers of iptables do ftp too. The secret is to modprobe in ip_nat_ftp, and ip_conntrack_ftp, and then magically ftp works.
Predictably these modules are not reloaded automatically on reboot. There’s a /etc/modules.conf file that the man page implies will cause them to be loaded, but there’s at least one level of indirection, because that’s one weird looking file. But that’s a problem for another day.