* Problem with connection-tracking and FTP
@ 2004-01-20 16:01 Christian Gmeiner
2004-01-21 5:32 ` Mark E. Donaldson
2004-01-22 6:45 ` Problem with connection-tracking and FTP Arnt Karlsen
0 siblings, 2 replies; 9+ messages in thread
From: Christian Gmeiner @ 2004-01-20 16:01 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 4375 bytes --]
Hi everybody.
I am working on a little firewall script. Everything works just fine, but i dont get the ftp protocoll working.
I call this two function to get ftp working:
# ==================================
FTP()
{
ebegin "Seting rules for active/passive FTP"
# Port 21
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# aktiv
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# passiv
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
eend $?
}
# ==================================
loadmodules()
{
ebegin "Try to load needed modules"
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ipt_ULOG
eend $?
}
An here my start function
# ==================================
start()
{
ebegin "Starting Firewall"
loadmodules
einfo "Setting default rules to drop"
iptables -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
acceptlocal
portscan
proc
iana
illigalpackages
spoofing
FTP
# set rules
InOutTCP
InTCP
OutTCP
InOutUDP
InUDP
OutUDP
# Erlaube dem Client routen durch NAT (Network Address Translation
iptables -t nat -A POSTROUTING -o ${EXT_INT} -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
eend $? "Failed to start Firewall"
}
And here are the ports i allow with the function InOut*, In*, Out*,...
# TCP in+out
#
TCP_IN_OUT="ssh 10000 smtp pop3 http https"
# TCP out
#
# 5190 = ICQ
#
TCP_OUT="5190 http https irc 25 ftp ftp-data"
# TCP in
#
TCP_IN=""
# UDP in+out
#
UDP_IN_OUT="domain ssh 10000 pop3 ssh"
# UDP out
#
UDP_OUT="https irc"
# UDP in
#
UDP_IN=""
Oh and here some important functions:
# ==================================
InOutTCP()
{
ebegin "Allowing in and outbound TCP-traffic"
for i in ${TCP_IN_OUT}
do
einfo " <-> Seting TCP "in" and "out" rules for ${i}"
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} --dport 1024: -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -d ${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
# ==================================
OutTCP()
{
ebegin "Allowing outbound TCP-traffic"
for i in ${TCP_OUT}
do
einfo " <-> Seting TCP "out" rules for ${i}"
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -d ${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
I hope somebody can help me.
Thanks, Christian Gmeiner
[-- Attachment #2: Type: text/html, Size: 8096 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* RE: Problem with connection-tracking and FTP
2004-01-20 16:01 Problem with connection-tracking and FTP Christian Gmeiner
@ 2004-01-21 5:32 ` Mark E. Donaldson
2004-01-21 11:58 ` Christian Gmeiner
2004-01-22 6:45 ` Problem with connection-tracking and FTP Arnt Karlsen
1 sibling, 1 reply; 9+ messages in thread
From: Mark E. Donaldson @ 2004-01-21 5:32 UTC (permalink / raw)
To: 'Christian Gmeiner', netfilter
[-- Attachment #1: Type: text/plain, Size: 6057 bytes --]
It would appear you are assuming the FTP server will choose port 1024 for
passive mode ftp. This is not correct, as it may choose any unprivileged
port up to 65535. That is one problem you are having. Also, check your
syntax for "passive mode". You have made an error with some not needed
colons (:).
Here is a good rule set that will permit all ftp operations - active and
passive:
######################
# FTP SERVICES
######################
UNPRIVPORTS="1024:65535"
# CONTROL PORT (Active & Passive Mode)
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port
$UNPRIVPORTS --destination-port 21 -m state --state NEW -j LOG --log-level
$LOG_LEVEL --log-prefix "FTP ACCESS -> "
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port
$UNPRIVPORTS --destination-port 21 -m state --state NEW -j ACCEPT
# DATA PORT (Active Mode)
$IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20
--destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level
$LOG_LEVEL --log-prefix "FTP A-DATA -> "
$IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20
--destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT
# DATA PORT (Passive Mode)
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port
$UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j LOG
--log-level $LOG_LEVEL --log-prefix "FTP P-DATA -> "
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port
$UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT
_____
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Christian Gmeiner
Sent: Tuesday, January 20, 2004 8:01 AM
To: netfilter@lists.netfilter.org
Subject: Problem with connection-tracking and FTP
Hi everybody.
I am working on a little firewall script. Everything works just fine, but i
dont get the ftp protocoll working.
I call this two function to get ftp working:
# ==================================
FTP()
{
ebegin "Seting rules for active/passive FTP"
# Port 21
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
# aktiv
iptables -A INPUT -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j
ACCEPT
# passiv
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state
--state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT
eend $?
}
# ==================================
loadmodules()
{
ebegin "Try to load needed modules"
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ipt_ULOG
eend $?
}
An here my start function
# ==================================
start()
{
ebegin "Starting Firewall"
loadmodules
einfo "Setting default rules to drop"
iptables -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
acceptlocal
portscan
proc
iana
illigalpackages
spoofing
FTP
# set rules
InOutTCP
InTCP
OutTCP
InOutUDP
InUDP
OutUDP
# Erlaube dem Client routen durch NAT (Network Address Translation
iptables -t nat -A POSTROUTING -o ${EXT_INT} -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
eend $? "Failed to start Firewall"
}
And here are the ports i allow with the function InOut*, In*, Out*,...
# TCP in+out
#
TCP_IN_OUT="ssh 10000 smtp pop3 http https"
# TCP out
#
# 5190 = ICQ
#
TCP_OUT="5190 http https irc 25 ftp ftp-data"
# TCP in
#
TCP_IN=""
# UDP in+out
#
UDP_IN_OUT="domain ssh 10000 pop3 ssh"
# UDP out
#
UDP_OUT="https irc"
# UDP in
#
UDP_IN=""
Oh and here some important functions:
# ==================================
InOutTCP()
{
ebegin "Allowing in and outbound TCP-traffic"
for i in ${TCP_IN_OUT}
do
einfo " <-> Seting TCP "in" and "out" rules for ${i}"
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m
state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i}
--dport 1024: -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m
state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} -m
state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024:
--dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -m
state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport
1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -d
${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
# ==================================
OutTCP()
{
ebegin "Allowing outbound TCP-traffic"
for i in ${TCP_OUT}
do
einfo " <-> Seting TCP "out" rules for ${i}"
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024:
--dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -m
state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport
1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -d
${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
I hope somebody can help me.
Thanks, Christian Gmeiner
[-- Attachment #2: Type: text/html, Size: 11300 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Problem with connection-tracking and FTP
2004-01-21 5:32 ` Mark E. Donaldson
@ 2004-01-21 11:58 ` Christian Gmeiner
2004-01-21 14:43 ` Caracal - G. Hostettler
2004-01-22 2:12 ` Mark E. Donaldson
0 siblings, 2 replies; 9+ messages in thread
From: Christian Gmeiner @ 2004-01-21 11:58 UTC (permalink / raw)
To: markee, netfilter
[-- Attachment #1: Type: text/plain, Size: 8038 bytes --]
Thanks... I have now used your rule set:
# CONTROL PORT (Active & Passive Mode)
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port 21 -m state --state NEW -j LOG --log-prefix "FTP ACCESS -> "
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port 21 -m state --state NEW -j ACCEPT
# DATA PORT (Active Mode)
iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port 20 --destination-port ${UNPRIVPORTS} -m state --state NEW -j LOG --log-prefix "FTP A-DATA -> "
iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port 20 --destination-port ${UNPRIVPORTS} -m state --state NEW -j ACCEPT
# DATA PORT (Passive Mode)
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port ${UNPRIVPORTS} -m state --state NEW -j LOG --log-prefix "FTP P-DATA -> "
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port ${UNPRIVPORTS} -m state --state NEW -j ACCEPT
I can connect to the FTP-Server and login... but then wehen the directory listening should come it hangs. I have no idea, why this is so.
Should i post the output of 'iptables -L -n -v --line-numbers'?
Thanks, Christian Gmeiner
----- Original Message -----
From: Mark E. Donaldson
To: 'Christian Gmeiner' ; netfilter@lists.netfilter.org
Sent: Wednesday, January 21, 2004 6:32 AM
Subject: RE: Problem with connection-tracking and FTP
It would appear you are assuming the FTP server will choose port 1024 for passive mode ftp. This is not correct, as it may choose any unprivileged port up to 65535. That is one problem you are having. Also, check your syntax for "passive mode". You have made an error with some not needed colons (:).
Here is a good rule set that will permit all ftp operations - active and passive:
######################
# FTP SERVICES
######################
UNPRIVPORTS="1024:65535"
# CONTROL PORT (Active & Passive Mode)
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port 21 -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP ACCESS -> "
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port 21 -m state --state NEW -j ACCEPT
# DATA PORT (Active Mode)
$IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20 --destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP A-DATA -> "
$IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20 --destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT
# DATA PORT (Passive Mode)
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP P-DATA -> "
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT
------------------------------------------------------------------------------
From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Christian Gmeiner
Sent: Tuesday, January 20, 2004 8:01 AM
To: netfilter@lists.netfilter.org
Subject: Problem with connection-tracking and FTP
Hi everybody.
I am working on a little firewall script. Everything works just fine, but i dont get the ftp protocoll working.
I call this two function to get ftp working:
# ==================================
FTP()
{
ebegin "Seting rules for active/passive FTP"
# Port 21
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# aktiv
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# passiv
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
eend $?
}
# ==================================
loadmodules()
{
ebegin "Try to load needed modules"
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ipt_ULOG
eend $?
}
An here my start function
# ==================================
start()
{
ebegin "Starting Firewall"
loadmodules
einfo "Setting default rules to drop"
iptables -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
acceptlocal
portscan
proc
iana
illigalpackages
spoofing
FTP
# set rules
InOutTCP
InTCP
OutTCP
InOutUDP
InUDP
OutUDP
# Erlaube dem Client routen durch NAT (Network Address Translation
iptables -t nat -A POSTROUTING -o ${EXT_INT} -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
eend $? "Failed to start Firewall"
}
And here are the ports i allow with the function InOut*, In*, Out*,...
# TCP in+out
#
TCP_IN_OUT="ssh 10000 smtp pop3 http https"
# TCP out
#
# 5190 = ICQ
#
TCP_OUT="5190 http https irc 25 ftp ftp-data"
# TCP in
#
TCP_IN=""
# UDP in+out
#
UDP_IN_OUT="domain ssh 10000 pop3 ssh"
# UDP out
#
UDP_OUT="https irc"
# UDP in
#
UDP_IN=""
Oh and here some important functions:
# ==================================
InOutTCP()
{
ebegin "Allowing in and outbound TCP-traffic"
for i in ${TCP_IN_OUT}
do
einfo " <-> Seting TCP "in" and "out" rules for ${i}"
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} --dport 1024: -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -d ${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
# ==================================
OutTCP()
{
ebegin "Allowing outbound TCP-traffic"
for i in ${TCP_OUT}
do
einfo " <-> Seting TCP "out" rules for ${i}"
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -d ${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
I hope somebody can help me.
Thanks, Christian Gmeiner
[-- Attachment #2: Type: text/html, Size: 14525 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Problem with connection-tracking and FTP
2004-01-21 11:58 ` Christian Gmeiner
@ 2004-01-21 14:43 ` Caracal - G. Hostettler
2004-01-22 2:12 ` Mark E. Donaldson
1 sibling, 0 replies; 9+ messages in thread
From: Caracal - G. Hostettler @ 2004-01-21 14:43 UTC (permalink / raw)
To: Christian Gmeiner; +Cc: netfilter list
> I can connect to the FTP-Server and login... but then wehen the directory
listening should come it hangs. I have no idea, why this is so.
> Should i post the output of 'iptables -L -n -v --line-numbers'?
>
> Thanks, Christian Gmeiner
Mmmmh.
Just to make you feel less alone:
I have a similar problem. What is happening is that the ftp server (in my
case proftpd) denies access as it thinks that the PORT command comes from a
spoofed address.
I have something like this in the log:
Refused PORT xxx,xxx,xxx,xxx,9,115. The first part of IP address is OK. It
is the good originating one, aka the internal leg of the firewall.
But who in the hell adds those two numbers at the end ???
Of course there is a fast and VERY UNSECURE solution: Just add the statement
"AllowForeignAddress on" to your proftpd.conf cfg file, or any similar
statement to your FTP of choice cfg, if possible. Do it just to test if the
PORT command works, then REMOVE IT! Once again, this is a severe security
risk on spoofed ftp control connection IP addresses.
If anybody has a single idea of who/why/what are these two added bytes at
the end of the IP seen by the PORT command, I will be pretty happy to know
and possibly understand ;-)
GH
----- Original Message -----
From: Christian Gmeiner
To: markee@bandwidthco.com ; netfilter@lists.netfilter.org
Sent: Wednesday, January 21, 2004 12:58 PM
Subject: Re: Problem with connection-tracking and FTP
Thanks... I have now used your rule set:
# CONTROL PORT (Active & Passive Mode)
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port
${UNPRIVPORTS} --destination-port 21 -m state --state NEW -j
LOG --log-prefix "FTP ACCESS -> "
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port
${UNPRIVPORTS} --destination-port 21 -m state --state NEW -j ACCEPT
# DATA PORT (Active Mode)
iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port
20 --destination-port ${UNPRIVPORTS} -m state --state NEW -j
OG --log-prefix "FTP A-DATA -> "
iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port
20 --destination-port ${UNPRIVPORTS} -m state --state NEW -j ACCEPT
# DATA PORT (Passive Mode)
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port
${UNPRIVPORTS} --destination-port ${UNPRIVPORTS} -m state --state NEW -j
LOG --log-prefix "FTP P-DATA -> "
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port
${UNPRIVPORTS} --destination-port ${UNPRIVPORTS} -m state --state NEW -j
ACCEPT
I can connect to the FTP-Server and login... but then wehen the directory
listening should come it hangs. I have no idea, why this is so.
Should i post the output of 'iptables -L -n -v --line-numbers'?
Thanks, Christian Gmeiner
< snipped history>
^ permalink raw reply [flat|nested] 9+ messages in thread* RE: Problem with connection-tracking and FTP
2004-01-21 11:58 ` Christian Gmeiner
2004-01-21 14:43 ` Caracal - G. Hostettler
@ 2004-01-22 2:12 ` Mark E. Donaldson
2004-01-22 2:38 ` Recomendations for replacing a Raptor (Symantec Enterprise) firewall Brad Morgan
1 sibling, 1 reply; 9+ messages in thread
From: Mark E. Donaldson @ 2004-01-22 2:12 UTC (permalink / raw)
To: 'Christian Gmeiner', netfilter
[-- Attachment #1: Type: text/plain, Size: 7901 bytes --]
Yes. That would help. Also do an lsmod to make sure all of the needed
modules are loaded.
_____
From: Christian Gmeiner [mailto:christian@visual-page.de]
Sent: Wednesday, January 21, 2004 3:58 AM
To: markee@bandwidthco.com; netfilter@lists.netfilter.org
Subject: Re: Problem with connection-tracking and FTP
Thanks... I have now used your rule set:
# CONTROL PORT (Active & Passive Mode)
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS}
--destination-port 21 -m state --state NEW -j LOG --log-prefix "FTP ACCESS
-> "
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS}
--destination-port 21 -m state --state NEW -j ACCEPT
# DATA PORT (Active Mode)
iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port 20
--destination-port ${UNPRIVPORTS} -m state --state NEW -j LOG --log-prefix
"FTP A-DATA -> "
iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port 20
--destination-port ${UNPRIVPORTS} -m state --state NEW -j ACCEPT
# DATA PORT (Passive Mode)
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS}
--destination-port ${UNPRIVPORTS} -m state --state NEW -j LOG --log-prefix
"FTP P-DATA -> "
iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS}
--destination-port ${UNPRIVPORTS} -m state --state NEW -j ACCEPT
I can connect to the FTP-Server and login... but then wehen the directory
listening should come it hangs. I have no idea, why this is so.
Should i post the output of 'iptables -L -n -v --line-numbers'?
Thanks, Christian Gmeiner
----- Original Message -----
From: Mark E. <mailto:markee@bandwidthco.com> Donaldson
To: 'Christian Gmeiner' <mailto:christian@visual-page.de> ;
netfilter@lists.netfilter.org
Sent: Wednesday, January 21, 2004 6:32 AM
Subject: RE: Problem with connection-tracking and FTP
It would appear you are assuming the FTP server will choose port 1024 for
passive mode ftp. This is not correct, as it may choose any unprivileged
port up to 65535. That is one problem you are having. Also, check your
syntax for "passive mode". You have made an error with some not needed
colons (:).
Here is a good rule set that will permit all ftp operations - active and
passive:
######################
# FTP SERVICES
######################
UNPRIVPORTS="1024:65535"
# CONTROL PORT (Active & Passive Mode)
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port
$UNPRIVPORTS --destination-port 21 -m state --state NEW -j LOG --log-level
$LOG_LEVEL --log-prefix "FTP ACCESS -> "
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port
$UNPRIVPORTS --destination-port 21 -m state --state NEW -j ACCEPT
# DATA PORT (Active Mode)
$IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20
--destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level
$LOG_LEVEL --log-prefix "FTP A-DATA -> "
$IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20
--destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT
# DATA PORT (Passive Mode)
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port
$UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j LOG
--log-level $LOG_LEVEL --log-prefix "FTP P-DATA -> "
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port
$UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT
_____
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Christian Gmeiner
Sent: Tuesday, January 20, 2004 8:01 AM
To: netfilter@lists.netfilter.org
Subject: Problem with connection-tracking and FTP
Hi everybody.
I am working on a little firewall script. Everything works just fine, but i
dont get the ftp protocoll working.
I call this two function to get ftp working:
# ==================================
FTP()
{
ebegin "Seting rules for active/passive FTP"
# Port 21
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
# aktiv
iptables -A INPUT -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j
ACCEPT
# passiv
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state
--state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT
eend $?
}
# ==================================
loadmodules()
{
ebegin "Try to load needed modules"
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ipt_ULOG
eend $?
}
An here my start function
# ==================================
start()
{
ebegin "Starting Firewall"
loadmodules
einfo "Setting default rules to drop"
iptables -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
acceptlocal
portscan
proc
iana
illigalpackages
spoofing
FTP
# set rules
InOutTCP
InTCP
OutTCP
InOutUDP
InUDP
OutUDP
# Erlaube dem Client routen durch NAT (Network Address Translation
iptables -t nat -A POSTROUTING -o ${EXT_INT} -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
eend $? "Failed to start Firewall"
}
And here are the ports i allow with the function InOut*, In*, Out*,...
# TCP in+out
#
TCP_IN_OUT="ssh 10000 smtp pop3 http https"
# TCP out
#
# 5190 = ICQ
#
TCP_OUT="5190 http https irc 25 ftp ftp-data"
# TCP in
#
TCP_IN=""
# UDP in+out
#
UDP_IN_OUT="domain ssh 10000 pop3 ssh"
# UDP out
#
UDP_OUT="https irc"
# UDP in
#
UDP_IN=""
Oh and here some important functions:
# ==================================
InOutTCP()
{
ebegin "Allowing in and outbound TCP-traffic"
for i in ${TCP_IN_OUT}
do
einfo " <-> Seting TCP "in" and "out" rules for ${i}"
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m
state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i}
--dport 1024: -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m
state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} -m
state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024:
--dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -m
state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport
1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -d
${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
# ==================================
OutTCP()
{
ebegin "Allowing outbound TCP-traffic"
for i in ${TCP_OUT}
do
einfo " <-> Seting TCP "out" rules for ${i}"
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024:
--dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -m
state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport
1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -d
${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
I hope somebody can help me.
Thanks, Christian Gmeiner
[-- Attachment #2: Type: text/html, Size: 15147 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Recomendations for replacing a Raptor (Symantec Enterprise) firewall
2004-01-22 2:12 ` Mark E. Donaldson
@ 2004-01-22 2:38 ` Brad Morgan
2004-01-22 10:56 ` bino-psn
0 siblings, 1 reply; 9+ messages in thread
From: Brad Morgan @ 2004-01-22 2:38 UTC (permalink / raw)
To: netfilter
I have a Raptor (version 6.5) firewall running on Windows NT 4.0. We have a
/27 netblock with multiple FTP and Web servers at different public addresses
within this block.
I'd like to replace this firewall with something like Smoothwall but need to
be able to redirect multiple public IP addresses to the proper internal
machines. I'd like to use a Netfilter / iptables based solution.
Can you suggest some possible alternatives? I guess I could just use a
general purpose Linux distribution, but I was hoping for something a bit
more focused.
Thanks,
Brad Morgan
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Recomendations for replacing a Raptor (Symantec Enterprise) firewall
2004-01-22 2:38 ` Recomendations for replacing a Raptor (Symantec Enterprise) firewall Brad Morgan
@ 2004-01-22 10:56 ` bino-psn
0 siblings, 0 replies; 9+ messages in thread
From: bino-psn @ 2004-01-22 10:56 UTC (permalink / raw)
To: netfilter
Brad ..
You can take a look at http://leaf.sourceforge.net
LEAF = Linux Embeded Aplication Firewall
By default .. it's only a floppy in size.
Sincerely
-bino-
----- Original Message -----
From: "Brad Morgan" <B-Morgan@concentric.net>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, January 22, 2004 9:38 AM
Subject: Recomendations for replacing a Raptor (Symantec Enterprise)
firewall
I have a Raptor (version 6.5) firewall running on Windows NT 4.0. We have a
/27 netblock with multiple FTP and Web servers at different public addresses
within this block.
I'd like to replace this firewall with something like Smoothwall but need to
be able to redirect multiple public IP addresses to the proper internal
machines. I'd like to use a Netfilter / iptables based solution.
Can you suggest some possible alternatives? I guess I could just use a
general purpose Linux distribution, but I was hoping for something a bit
more focused.
Thanks,
Brad Morgan
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Problem with connection-tracking and FTP
2004-01-20 16:01 Problem with connection-tracking and FTP Christian Gmeiner
2004-01-21 5:32 ` Mark E. Donaldson
@ 2004-01-22 6:45 ` Arnt Karlsen
2004-01-22 8:14 ` Christian Gmeiner
1 sibling, 1 reply; 9+ messages in thread
From: Arnt Karlsen @ 2004-01-22 6:45 UTC (permalink / raw)
To: netfilter
On Tue, 20 Jan 2004 17:01:26 +0100,
"Christian Gmeiner" <christian@visual-page.de> wrote in message
<002001c3df6e$a97416e0$0600a8c0@blackbox>:
> Hi everybody.
>
> I am working on a little firewall script. Everything works just fine,
> but i dont get the ftp protocoll working.
>
> I call this two function to get ftp working:
>
> # ==================================
> FTP()
> {
> ebegin "Seting rules for active/passive FTP"
..<snip>
> eend $?
> }
..does whatever which is supposed to parse this,
understand "ebegin" and "eend" ???
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Problem with connection-tracking and FTP
2004-01-22 6:45 ` Problem with connection-tracking and FTP Arnt Karlsen
@ 2004-01-22 8:14 ` Christian Gmeiner
0 siblings, 0 replies; 9+ messages in thread
From: Christian Gmeiner @ 2004-01-22 8:14 UTC (permalink / raw)
To: Arnt Karlsen, Iptables Netlist
ebegin, eend, einfo,... are all functions form the Gentoo-Linux.
So it looks like this:
* Setting /proc options... [
ok ]
* Takeing care of IANA... [
ok ]
The * is green, [] are blue and the ok is also green. If it fails the ok is
repleaced with an red !!
So this is only for good looking: :)
Greets, Christian
----- Original Message -----
From: "Arnt Karlsen" <arnt@c2i.net>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, January 22, 2004 7:45 AM
Subject: Re: Problem with connection-tracking and FTP
> On Tue, 20 Jan 2004 17:01:26 +0100,
> "Christian Gmeiner" <christian@visual-page.de> wrote in message
> <002001c3df6e$a97416e0$0600a8c0@blackbox>:
>
> > Hi everybody.
> >
> > I am working on a little firewall script. Everything works just fine,
> > but i dont get the ftp protocoll working.
> >
> > I call this two function to get ftp working:
> >
> > # ==================================
> > FTP()
> > {
> > ebegin "Seting rules for active/passive FTP"
>
> ..<snip>
>
> > eend $?
> > }
>
> ..does whatever which is supposed to parse this,
> understand "ebegin" and "eend" ???
>
> --
> ..med vennlig hilsen = with Kind Regards from Arnt... ;-)
> ...with a number of polar bear hunters in his ancestry...
> Scenarios always come in sets of three:
> best case, worst case, and just in case.
>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2004-01-22 10:56 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-20 16:01 Problem with connection-tracking and FTP Christian Gmeiner
2004-01-21 5:32 ` Mark E. Donaldson
2004-01-21 11:58 ` Christian Gmeiner
2004-01-21 14:43 ` Caracal - G. Hostettler
2004-01-22 2:12 ` Mark E. Donaldson
2004-01-22 2:38 ` Recomendations for replacing a Raptor (Symantec Enterprise) firewall Brad Morgan
2004-01-22 10:56 ` bino-psn
2004-01-22 6:45 ` Problem with connection-tracking and FTP Arnt Karlsen
2004-01-22 8:14 ` Christian Gmeiner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.