Re: Problem with connection-tracking and FTP

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Christian Gmeiner" <christian@visual-page.de>
To: markee@bandwidthco.com, netfilter@lists.netfilter.org
Subject: Re: Problem with connection-tracking and FTP
Date: Wed, 21 Jan 2004 12:58:07 +0100	[thread overview]
Message-ID: <001801c3e015$d6a86100$0600a8c0@blackbox> (raw)
In-Reply-To: 200401210532.i0L5WclB022675@server5.bandwidthco.com

[-- Attachment #1: Type: text/plain, Size: 8038 bytes --]

Thanks... I have now used your rule set:

    # CONTROL PORT (Active & Passive Mode)
    iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port 21 -m state --state NEW -j LOG --log-prefix "FTP ACCESS -> "
    iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port 21 -m state --state NEW -j ACCEPT
 
    # DATA PORT (Active Mode)
    iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port 20 --destination-port ${UNPRIVPORTS} -m state --state NEW -j LOG  --log-prefix "FTP A-DATA -> "
    iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port 20 --destination-port ${UNPRIVPORTS} -m state --state NEW -j ACCEPT
 
    # DATA PORT (Passive Mode)
    iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port ${UNPRIVPORTS} -m state --state NEW -j LOG --log-prefix "FTP P-DATA -> "
    iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port ${UNPRIVPORTS} -m state --state NEW -j ACCEPT

I can connect to the FTP-Server and login... but then wehen the directory listening should come it hangs. I have no idea, why this is so.
Should i post the output of 'iptables -L -n -v --line-numbers'?

Thanks, Christian Gmeiner

  ----- Original Message ----- 
  From: Mark E. Donaldson 
  To: 'Christian Gmeiner' ; netfilter@lists.netfilter.org 
  Sent: Wednesday, January 21, 2004 6:32 AM
  Subject: RE: Problem with connection-tracking and FTP


  It would appear you are assuming the FTP server will choose port 1024 for passive mode ftp.  This is not correct, as it may choose any unprivileged port up to 65535.  That is one problem you are having.  Also, check your syntax for "passive mode".  You have made an error with some not needed colons (:).
  Here is a good rule set that will permit all ftp operations - active and passive:

  ######################
  # FTP SERVICES
  ######################
  UNPRIVPORTS="1024:65535"

  # CONTROL PORT (Active & Passive Mode)
  $IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port 21 -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP ACCESS -> "

  $IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port 21 -m state --state NEW -j ACCEPT

  # DATA PORT (Active Mode)
  $IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20 --destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP A-DATA -> "

  $IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20 --destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT

  # DATA PORT (Passive Mode)
  $IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP P-DATA -> "

  $IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT




------------------------------------------------------------------------------
  From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Christian Gmeiner
  Sent: Tuesday, January 20, 2004 8:01 AM
  To: netfilter@lists.netfilter.org
  Subject: Problem with connection-tracking and FTP


  Hi everybody.

  I am working on a little firewall script. Everything works just fine, but i dont get the ftp protocoll working.

  I call this two function to get ftp working:

  # ==================================
  FTP()
  {
      ebegin "Seting rules for active/passive FTP"

      # Port 21

      iptables -A INPUT     -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
      iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 

      # aktiv
      iptables -A INPUT     -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT 
      iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 

      # passiv
      iptables -A INPUT     -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT 
      iptables -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT 

      eend $?
  }


  # ==================================
  loadmodules()
  {
      ebegin "Try to load needed modules"

      /sbin/modprobe ip_tables
      /sbin/modprobe iptable_filter
      /sbin/modprobe ip_conntrack
      /sbin/modprobe ip_conntrack_ftp
      /sbin/modprobe ipt_ULOG
      eend $?
  }

  An here my start function
  # ==================================
  start() 
  {
      ebegin "Starting Firewall"

      loadmodules

      einfo "Setting default rules to drop"
      iptables -F
      iptables -X 
      iptables -Z 
      iptables -F INPUT
      iptables -F OUTPUT
      iptables -F FORWARD

      iptables -P FORWARD DROP
      iptables -P INPUT   DROP
      iptables -P OUTPUT  DROP

      acceptlocal
      portscan
      proc
      iana
      illigalpackages
      spoofing
      FTP

      # set rules
      InOutTCP
      InTCP
      OutTCP
      InOutUDP
      InUDP
      OutUDP

      # Erlaube dem Client routen durch NAT (Network Address Translation
      iptables -t nat -A POSTROUTING -o ${EXT_INT} -j MASQUERADE
      echo "1" > /proc/sys/net/ipv4/ip_forward

      eend $? "Failed to start Firewall"
  }


  And here are the ports i allow with the function InOut*, In*, Out*,...

  # TCP in+out
  #
  TCP_IN_OUT="ssh 10000 smtp pop3 http https"

  # TCP out
  #
  # 5190 = ICQ
  #
  TCP_OUT="5190 http https irc 25 ftp ftp-data"

  # TCP in
  #
  TCP_IN=""

  # UDP in+out
  #
  UDP_IN_OUT="domain ssh 10000 pop3 ssh"

  # UDP out
  #
  UDP_OUT="https irc"

  # UDP in
  #
  UDP_IN=""


  Oh and here some important functions:

  # ==================================
  InOutTCP()
  {
      ebegin "Allowing in and outbound TCP-traffic"

      for i in ${TCP_IN_OUT}
      do
          einfo "   <-> Seting TCP "in" and "out" rules for ${i}"

          iptables -A INPUT  -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
          iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} --dport 1024: -m state --state ESTABLISHED,RELATED
          iptables -A FORWARD  -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
          iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED

          iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
          iptables -A INPUT  -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED
          iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
          iptables -A FORWARD  -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -d ${LAN} -m state --state ESTABLISHED,RELATED
      done

      eend $?
  }

  # ================================== 
  OutTCP()
  {
      ebegin "Allowing outbound TCP-traffic"

      for i in ${TCP_OUT}
      do
          einfo "   <-> Seting TCP "out" rules for ${i}"

          iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
          iptables -A INPUT  -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -m state --state ESTABLISHED,RELATED
          iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
          iptables -A FORWARD  -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -d ${LAN} -m state --state ESTABLISHED,RELATED
      done

      eend $?
  }

  I hope somebody can help me.

  Thanks, Christian Gmeiner


[-- Attachment #2: Type: text/html, Size: 14525 bytes --]

next prev parent reply	other threads:[~2004-01-21 11:58 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-20 16:01 Problem with connection-tracking and FTP Christian Gmeiner
2004-01-21  5:32 ` Mark E. Donaldson
2004-01-21 11:58   ` Christian Gmeiner [this message]
2004-01-21 14:43     ` Caracal - G. Hostettler
2004-01-22  2:12     ` Mark E. Donaldson
2004-01-22  2:38       ` Recomendations for replacing a Raptor (Symantec Enterprise) firewall Brad Morgan
2004-01-22 10:56         ` bino-psn
2004-01-22  6:45 ` Problem with connection-tracking and FTP Arnt Karlsen
2004-01-22  8:14   ` Christian Gmeiner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='001801c3e015$d6a86100$0600a8c0@blackbox' \
    --to=christian@visual-page.de \
    --cc=markee@bandwidthco.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.