Allow active and passive FTP connections

Allow active and passive FTP connections

[Sagara Wijetunga]

Hi all 

I need to allow active as well as passive FTP
connections to my FTP server.

My firewall configuration is as follows:
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
:
/sbin/iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
:
/sbin/iptables -A INPUT -p tcp --dport 21 --syn -j
ACCEPT
:
/sbin/iptables -A OUTPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
:

I have following issues relating to above rules:
1. For active FTP requests by remote clients, it drops
the data connection request to the remote client from
the server on the OUTPUT chain. 

2. For passive FTP requests by remote clients, it
drops the data connection request to the server from
remote clients on the INPUT chain.

I expected the RELATED on both INPUT and OUTPUT chains
will accept active as well as passive FTP connections.

The RELATED is defined on Packet Filtering HOWTO by
Rusty Russell as follows:
<quote>
RELATED
A packet which is related to, but not part of, an
existing connection, such as an ICMP error, or (with
the FTP module inserted), a packet establishing an ftp
data connection.
</quote>

What is this FTP module and how to insert it? 

I have already enabled the FTP support as part of the
Linux kernel.

Your comment in this regard is very much appreciated.

Kind regards
Sagara



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail

Re: Allow active and passive FTP connections

[Chris Brenton]

On Thu, 2004-06-17 at 07:03, Sagara Wijetunga wrote:
>
> I have following issues relating to above rules:
> 1. For active FTP requests by remote clients, it drops
> the data connection request to the remote client from
> the server on the OUTPUT chain. 
> 
> 2. For passive FTP requests by remote clients, it
> drops the data connection request to the server from
> remote clients on the INPUT chain.

Try:
insmod ip_conntrack_ftp

HTH,
C

RE: Allow active and passive FTP connections

[Piszcz, Justin Michael]

I think he meant, modprobe ip_conntrack_ftp and if you are behind nat
there is a module for that as well.


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Chris Brenton
Sent: Thursday, June 17, 2004 8:08 AM
To: Sagara Wijetunga
Cc: netfilter
Subject: Re: Allow active and passive FTP connections

On Thu, 2004-06-17 at 07:03, Sagara Wijetunga wrote:
>
> I have following issues relating to above rules:
> 1. For active FTP requests by remote clients, it drops
> the data connection request to the remote client from
> the server on the OUTPUT chain. 
> 
> 2. For passive FTP requests by remote clients, it
> drops the data connection request to the server from
> remote clients on the INPUT chain.

Try:
insmod ip_conntrack_ftp

HTH,
C

Re: Allow active and passive FTP connections

[Rob Sterenborg]

> What is this FTP module and how to insert it? 

ip_conntrack_ftp
ip_nat_ftp

# modprobe ip_<conntrack|nat>_ftp


Gr,
Rob

Re: Allow active and passive FTP connections

[Antony Stone]

On Thursday 17 June 2004 1:13 pm, Piszcz, Justin Michael wrote:

> I think he meant, modprobe ip_conntrack_ftp and if you are behind nat
> there is a module for that as well.

insmod should do the job perfectly well.

NAT is very unlikely when the rules are running on the FTP server itself 
(they're in the INPUT & OUTPUT chains).

Regards,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Chris Brenton
> Sent: Thursday, June 17, 2004 8:08 AM
> To: Sagara Wijetunga
> Cc: netfilter
> Subject: Re: Allow active and passive FTP connections
>
> On Thu, 2004-06-17 at 07:03, Sagara Wijetunga wrote:
> > I have following issues relating to above rules:
> > 1. For active FTP requests by remote clients, it drops
> > the data connection request to the remote client from
> > the server on the OUTPUT chain.
> >
> > 2. For passive FTP requests by remote clients, it
> > drops the data connection request to the server from
> > remote clients on the INPUT chain.
>
> Try:
> insmod ip_conntrack_ftp
>
> HTH,
> C

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Allow active and passive FTP connections

[Piszcz, Justin Michael]

root@p500:~# insmod ip_conntrack_ftp
insmod: can't read 'ip_conntrack_ftp': No such file or directory
root@p500:~#

- Insmod is when you load the module directly, there it would not work
unless you were in the _same_ directory as the ip_conntrack_ftp and you
renamed the ip_conntrack_ftp.{ko,o} ip_conntrack_ftp, then it would
work.

Otherwise, I do not see how you come to that conclusion.


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Thursday, June 17, 2004 8:23 AM
To: netfilter
Subject: Re: Allow active and passive FTP connections

On Thursday 17 June 2004 1:13 pm, Piszcz, Justin Michael wrote:

> I think he meant, modprobe ip_conntrack_ftp and if you are behind nat
> there is a module for that as well.

insmod should do the job perfectly well.

NAT is very unlikely when the rules are running on the FTP server itself

(they're in the INPUT & OUTPUT chains).

Regards,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Chris
Brenton
> Sent: Thursday, June 17, 2004 8:08 AM
> To: Sagara Wijetunga
> Cc: netfilter
> Subject: Re: Allow active and passive FTP connections
>
> On Thu, 2004-06-17 at 07:03, Sagara Wijetunga wrote:
> > I have following issues relating to above rules:
> > 1. For active FTP requests by remote clients, it drops
> > the data connection request to the remote client from
> > the server on the OUTPUT chain.
> >
> > 2. For passive FTP requests by remote clients, it
> > drops the data connection request to the server from
> > remote clients on the INPUT chain.
>
> Try:
> insmod ip_conntrack_ftp
>
> HTH,
> C

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

                                                     Please reply to the
list;
                                                           please don't
CC me.

Re: Allow active and passive FTP connections

[Antony Stone]

On Thursday 17 June 2004 2:06 pm, Piszcz, Justin Michael wrote:

> root@p500:~# insmod ip_conntrack_ftp
> insmod: can't read 'ip_conntrack_ftp': No such file or directory
> root@p500:~#
>
> - Insmod is when you load the module directly, there it would not work
> unless you were in the _same_ directory as the ip_conntrack_ftp and you
> renamed the ip_conntrack_ftp.{ko,o} ip_conntrack_ftp, then it would
> work.

Fair comment about the absolute path, but I'm not sure why you think you need 
a rename.   From "insmod --help" on my system (insmod version 2.4.6):

root@onyx:~# insmod --help
Usage:
insmod [-fhkLmnpqrsSvVxXyY] [-e persist_name] [-o module_name] [-O blob_name] 
[-P prefix] module [ symbol=value ... ]

  module                Name of a loadable kernel module ('.o' can be omitted)

However, I'm sure the original poster has worked out how to solve the problem 
by now, so this is probably getting OT...

Regards,

Antony.

-- 
"When you talk about Linux versus Windows, you're talking about which 
operating system is the best value for money and fit for purpose. That's a 
very basic decision customers can make if they have the information available 
to them. Quite frankly if we lose to Linux because our customers say it's 
better value for money, tough luck for us."

 - Steve Vamos, MD of Microsoft Australia

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Allow active and passive FTP connections

[Sagara Wijetunga]

--- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Thursday 17 June 2004 1:13 pm, Piszcz, Justin
> Michael wrote:
> 
> > I think he meant, modprobe ip_conntrack_ftp and if
> you are behind nat
> > there is a module for that as well.
> 
> insmod should do the job perfectly well.
> 
> NAT is very unlikely when the rules are running on
> the FTP server itself 
> (they're in the INPUT & OUTPUT chains).
> 
Thanks very much for everybody's comments on this. 

In my Linux kernel, the “FTP protocol support” under
“IP: Netfilter Configuration” is build into the
kernel. Therefore, there is no ip_conntrack_ftp module
to load.

I use Linux kernel 2.6.5, I don't use NAT and I use
iptables v1.2.10.

I noticed “IP: kernel level autoconfiguration” was not
set. I just build that also in to the kernel,
recompiled, reinstalled the Linux kernel, rebuild all
modules and rebooted the server and retried the FTP
connection. But my problem is still the same. 

For active FTP connections it drops the following
packet:
Jun 17 22:51:04 svr1 kernel: OUTPUT PKT DROPPED: IN=
OUT=eth0 SRC=[server IP addr] DST=[client IP addr]
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33736 DF PROTO=TCP
SPT=20 DPT=32914 WINDOW=5840 RES=0x00 SYN URGP=0

For passive FTP connections it drops the following
packet:
Jun 17 22:54:12 svr1 kernel: INPUT PKT DROPPED:
IN=eth0 OUT=
MAC=00:e0:29:34:b3:58:00:e0:29:34:bb:36:08:00
SRC=[client IP addr] DST=[server IP addr] LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=40886 DF PROTO=TCP
SPT=32916 DPT=32769 WINDOW=5840 RES=0x00 SYN URGP=0

Is it necessary to build ip_conntrack_ftp as a module?


Sagara


	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

RE: Allow active and passive FTP connections

[Piszcz, Justin Michael]

Is it necessary to build ip_conntrack_ftp as a module?
If you want to do ports other than 21 on 2.4, yes, on 2.6, no, you can
use the append="" option in LILO.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Sagara
Wijetunga
Sent: Thursday, June 17, 2004 11:13 AM
To: netfilter
Subject: Re: Allow active and passive FTP connections

--- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Thursday 17 June 2004 1:13 pm, Piszcz, Justin
> Michael wrote:
> 
> > I think he meant, modprobe ip_conntrack_ftp and if
> you are behind nat
> > there is a module for that as well.
> 
> insmod should do the job perfectly well.
> 
> NAT is very unlikely when the rules are running on
> the FTP server itself 
> (they're in the INPUT & OUTPUT chains).
> 
Thanks very much for everybody's comments on this. 

In my Linux kernel, the "FTP protocol support" under
"IP: Netfilter Configuration" is build into the
kernel. Therefore, there is no ip_conntrack_ftp module
to load.

I use Linux kernel 2.6.5, I don't use NAT and I use
iptables v1.2.10.

I noticed "IP: kernel level autoconfiguration" was not
set. I just build that also in to the kernel,
recompiled, reinstalled the Linux kernel, rebuild all
modules and rebooted the server and retried the FTP
connection. But my problem is still the same. 

For active FTP connections it drops the following
packet:
Jun 17 22:51:04 svr1 kernel: OUTPUT PKT DROPPED: IN=
OUT=eth0 SRC=[server IP addr] DST=[client IP addr]
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33736 DF PROTO=TCP
SPT=20 DPT=32914 WINDOW=5840 RES=0x00 SYN URGP=0

For passive FTP connections it drops the following
packet:
Jun 17 22:54:12 svr1 kernel: INPUT PKT DROPPED:
IN=eth0 OUT=
MAC=00:e0:29:34:b3:58:00:e0:29:34:bb:36:08:00
SRC=[client IP addr] DST=[server IP addr] LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=40886 DF PROTO=TCP
SPT=32916 DPT=32769 WINDOW=5840 RES=0x00 SYN URGP=0

Is it necessary to build ip_conntrack_ftp as a module?


Sagara


	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

Re: Allow active and passive FTP connections

[Antony Stone]

On Thursday 17 June 2004 4:13 pm, Sagara Wijetunga wrote:

> Thanks very much for everybody's comments on this.
>
> In my Linux kernel, the “FTP protocol support” under
> “IP: Netfilter Configuration” is build into the
> kernel. Therefore, there is no ip_conntrack_ftp module
> to load.
>
> I use Linux kernel 2.6.5, I don't use NAT and I use
> iptables v1.2.10.
>
>
> Is it necessary to build ip_conntrack_ftp as a module?

Certainly not.   I always build firewall kernels as monolithic (everything I 
need compiled-in, no module support, so nothing can be loaded or unloaded 
afterwards).

There must be some reason why the conntrack table isn't recognising the 
reverse connection (I assume you *do* have connection tracking support 
compiled in as well?   I can't recall if you have to have this before you 
even see the FTP question when building the kernel...)

What do you see in /proc/net/ip_conntrack when the connection is half-open 
(ie: about the same time as the log entry you posted appears)?

This seems strange.

Regards,

Antony.

-- 
There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Allow active and passive FTP connections

[Sagara Wijetunga]

--- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Thursday 17 June 2004 4:13 pm, Sagara Wijetunga
> wrote:
> > Is it necessary to build ip_conntrack_ftp as a
> module?
> 
> Certainly not.   I always build firewall kernels as
> monolithic (everything I 
> need compiled-in, no module support, so nothing can
> be loaded or unloaded 
> afterwards).
> 
> There must be some reason why the conntrack table
> isn't recognising the 
> reverse connection (I assume you *do* have
> connection tracking support 
> compiled in as well?   I can't recall if you have to
> have this before you 
> even see the FTP question when building the
> kernel...)
> 
Yes, everything under 'IP: Netfilter Configuration'
including 'Connection tracking (required for
masq/NAT)' are compiled in. Only item not selected is
'NAT of local connections'.

> What do you see in /proc/net/ip_conntrack when the
> connection is half-open 
> (ie: about the same time as the log entry you posted
> appears)?
> 
cat /proc/net/ip_conntrack shows:
tcp      6 431999 ESTABLISHED src=[client IP addr]
dst=[server IP addr] sport=32983 dport=22 src=[server
IP addr] dst=[client IP addr] sport=22 dport=32983
[ASSURED] use=2

tcp      6 431996 ESTABLISHED src=[client IP addr]
dst=[server IP addr] sport=32987 dport=21 src=[server
IP addr] dst=[client IP addr] sport=21 dport=32987
[ASSURED] use=1

By this time following packets are dropped:
Jun 18 00:21:10 svr1 kernel: OUTPUT PKT DROPPED: IN=
OUT=eth0 SRC=[server IP addr] DST=[client IP addr]
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21776 DF PROTO=TCP
SPT=20 DPT=32988 WINDOW=5840 RES=0x00 SYN URGP=0

Jun 18 00:24:19 svr1 kernel: OUTPUT PKT DROPPED: IN=
OUT=eth0 SRC=[server IP addr] DST=[client IP addr]
LEN=137 TOS=0x10 PREC=0x00 TTL=64 ID=65463 DF
PROTO=TCP SPT=21 DPT=32987 WINDOW=6432 RES=0x00 ACK
PSH URGP=0

Jun 18 00:24:20 svr1 kernel: OUTPUT PKT DROPPED: IN=
OUT=eth0 SRC=[server IP addr] DST=[client IP addr]
LEN=174 TOS=0x10 PREC=0x00 TTL=64 ID=65466 DF
PROTO=TCP SPT=21 DPT=32987 WINDOW=6432 RES=0x00 ACK
PSH FIN URGP=0

What else I can check?

Sagara



		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

RE: Allow active and passive FTP connections

[Sagara Wijetunga]

<justin.piszcz@mitretek.org> wrote:
> Is it necessary to build ip_conntrack_ftp as a
> module?
> If you want to do ports other than 21 on 2.4, yes,
> on 2.6, no, you can
> use the append="" option in LILO.
> 
Could you elaborate this a bit? I use Linux kernel
2.6.5 and ip_conntrack_ftp is compiled into the
kernel. Do I still have to pass a append="" option to
kernel at LILO? 

Sagara


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

Re: Allow active and passive FTP connections

[Antony Stone]

On Thursday 17 June 2004 5:41 pm, Sagara Wijetunga wrote:

> <justin.piszcz@mitretek.org> wrote:
> > Is it necessary to build ip_conntrack_ftp as a
> > module?
> > If you want to do ports other than 21 on 2.4, yes,
> > on 2.6, no, you can
> > use the append="" option in LILO.
>
> Could you elaborate this a bit? I use Linux kernel
> 2.6.5 and ip_conntrack_ftp is compiled into the
> kernel. Do I still have to pass a append="" option to
> kernel at LILO?

Only if you want to connect to a non-standard port number (ie: other than 21)

Regards,

Antony.

-- 
This email is intended for the use of the individual addressee(s) named above 
and may contain information that is confidential, privileged or unsuitable 
for overly sensitive persons with low self-esteem, no sense of humour, or 
irrational religious beliefs.

If you have received this email in error, you are required to shred it 
immediately, add some nutmeg, three egg whites and a dessertspoonful of 
caster sugar.   Whisk until soft peaks form, then place in a warm oven for 40 
minutes.   Remove promptly and let stand for 2 hours before adding some 
decorative kiwi fruit and cream.   Then notify me immediately by return email 
and eat the original message.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Allow active and passive FTP connections

[Piszcz, Justin Michael]

Yup.


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Thursday, June 17, 2004 12:52 PM
To: netfilter@lists.netfilter.org
Subject: Re: Allow active and passive FTP connections

On Thursday 17 June 2004 5:41 pm, Sagara Wijetunga wrote:

> <justin.piszcz@mitretek.org> wrote:
> > Is it necessary to build ip_conntrack_ftp as a
> > module?
> > If you want to do ports other than 21 on 2.4, yes,
> > on 2.6, no, you can
> > use the append="" option in LILO.
>
> Could you elaborate this a bit? I use Linux kernel
> 2.6.5 and ip_conntrack_ftp is compiled into the
> kernel. Do I still have to pass a append="" option to
> kernel at LILO?

Only if you want to connect to a non-standard port number (ie: other
than 21)

Regards,

Antony.

-- 
This email is intended for the use of the individual addressee(s) named
above 
and may contain information that is confidential, privileged or
unsuitable 
for overly sensitive persons with low self-esteem, no sense of humour,
or 
irrational religious beliefs.

If you have received this email in error, you are required to shred it 
immediately, add some nutmeg, three egg whites and a dessertspoonful of 
caster sugar.   Whisk until soft peaks form, then place in a warm oven
for 40 
minutes.   Remove promptly and let stand for 2 hours before adding some 
decorative kiwi fruit and cream.   Then notify me immediately by return
email 
and eat the original message.

                                                     Please reply to the
list;
                                                           please don't
CC me.

RE: Allow active and passive FTP connections

[Sagara Wijetunga]

Hi all

Today I upgraded the Linux kernel to 2.6.7. 

Applied following patches of the
patch-o-matic-ng-20040302:
init_conntrack-optimize NETMAP SAME TTL connlimit
fuzzy iprange ipv4options mport raw CLASSIFY addrtype
childlevel owner-socketlookup

Compiled in all netfiter options to the kernel.

After the server is booted with the new kernel, I
recompiled and reinstalled the iptables.

But my problem is still the same. The “-m state
--state ESTABLISHED” works well, but the “-m state
--state RELATED” does not work at all for FTP data
connections. What have I missed?

Is there an alternative method to know that a
particular --syn connection a part of an existing FTP
connection without using RELATED?

Any ideas please?

Sagara




		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

RE: Allow active and passive FTP connections

[Jozsef Kadlecsik]

On Fri, 18 Jun 2004, Sagara Wijetunga wrote:

> Today I upgraded the Linux kernel to 2.6.7.
>
> Applied following patches of the
> patch-o-matic-ng-20040302:
> init_conntrack-optimize NETMAP SAME TTL connlimit
> fuzzy iprange ipv4options mport raw CLASSIFY addrtype
> childlevel owner-socketlookup
>
> Compiled in all netfiter options to the kernel.

Could you post the output of

grep IP_NF_ .config

running it in the source tree of linux-2.6.7?

> After the server is booted with the new kernel, I
> recompiled and reinstalled the iptables.
>
> But my problem is still the same. The “-m state
> --state ESTABLISHED” works well, but the “-m state
> --state RELATED” does not work at all for FTP data
> connections. What have I missed?

You should post the complete list of your rules in all of the tables.

There is something definitely wrong in your configuration.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

RE: Allow active and passive FTP connections

[Sagara Wijetunga]

--- Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> wrote:
> On Fri, 18 Jun 2004, Sagara Wijetunga wrote:
> 
> > Today I upgraded the Linux kernel to 2.6.7.
> >
> > Applied following patches of the
> > patch-o-matic-ng-20040302:
> > init_conntrack-optimize NETMAP SAME TTL connlimit
> > fuzzy iprange ipv4options mport raw CLASSIFY
> addrtype
> > childlevel owner-socketlookup
> >
> > Compiled in all netfiter options to the kernel.
> 
> Could you post the output of
> 
> grep IP_NF_ .config
>
cd /usr/src/linux-2.6.7
grep IP_NF_ .config

CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_TFTP=y
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
CONFIG_IP_NF_TARGET_NOTRACK=y
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_MATCH_CONNLIMIT=y
CONFIG_IP_NF_MATCH_FUZZY=y
CONFIG_IP_NF_MATCH_IPV4OPTIONS=y
CONFIG_IP_NF_MATCH_MPORT=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y

The iptables-1.2.10 was compiled and installed as
follows:
CC="gcc -D__user= "
export CC

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man KERNEL_DIR=/usr/src/linux-2.6.7
>& iptables-make.log

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man install
KERNEL_DIR=/usr/src/linux-2.6.7  >&
iptables-install.log

/sbin/ldconfig

> > After the server is booted with the new kernel, I
> > recompiled and reinstalled the iptables.
> >
> > But my problem is still the same. The “-m state
> > --state ESTABLISHED” works well, but the “-m state
> > --state RELATED” does not work at all for FTP data
> > connections. What have I missed?
> 
> You should post the complete list of your rules in
> all of the tables.
> 
	/sbin/iptables -P INPUT DROP
	/sbin/iptables -P FORWARD DROP
	/sbin/iptables -P OUTPUT DROP

	/sbin/iptables -A INPUT -m state --state INVALID -j
DROP
	/sbin/iptables -A INPUT -p tcp   --tcp-flags SYN,FIN
SYN,FIN -j DROP
	/sbin/iptables -A INPUT -p tcp   --tcp-flags ALL FIN
-j DROP

	/sbin/iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT

	/sbin/iptables -A INPUT -p tcp  --dport 21
--tcp-flags ACK,PSH,URGP ACK,PSH -j DROP
	/sbin/iptables -A INPUT -p tcp   --tcp-flags FIN,ACK
FIN,ACK -j DROP
	/sbin/iptables -A INPUT -p tcp   --tcp-flags RST,ACK
RST,ACK -j DROP

	/sbin/iptables -A INPUT -p tcp --dport 21  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 22  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 25  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 53  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p udp --dport 53 	 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 80  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 110 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 143 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 443 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 465 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 993 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 995 --syn -j
ACCEPT

	/sbin/iptables -A INPUT -m limit --limit 1/s -j LOG
--log-prefix 'INPUT PKT DROPPED: '

	/sbin/iptables -A OUTPUT -m state --state INVALID -j
DROP
	/sbin/iptables -A OUTPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
	/sbin/iptables -A OUTPUT -p tcp --dport 53  --syn -j
ACCEPT
	/sbin/iptables -A OUTPUT -p udp --dport 53 	  -j
ACCEPT
	/sbin/iptables -A OUTPUT -p tcp --dport 25  --syn -j
ACCEPT

	/sbin/iptables -A OUTPUT -m limit --limit 1/s -j LOG
--log-prefix 'OUTPUT PKT DROPPED: '


Please let me know if you require any further info in
this regard.

Sagara


		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

RE: Allow active and passive FTP connections

[Jozsef Kadlecsik]

On Fri, 18 Jun 2004, Sagara Wijetunga wrote:

> > > Today I upgraded the Linux kernel to 2.6.7.
> > >
> > > Applied following patches of the
> > > patch-o-matic-ng-20040302:
> > > init_conntrack-optimize NETMAP SAME TTL connlimit
> > > fuzzy iprange ipv4options mport raw CLASSIFY
> > addrtype
> > > childlevel owner-socketlookup
> > >
> > > Compiled in all netfiter options to the kernel.
> >
> > Could you post the output of
> >
> > grep IP_NF_ .config
> >
> cd /usr/src/linux-2.6.7
> grep IP_NF_ .config
>
> CONFIG_IP_NF_CONNTRACK=y
> CONFIG_IP_NF_FTP=y

OK.

> The iptables-1.2.10 was compiled and installed as

Are you sure, you run the kernel indicated?

How did you compile iptables-1.2.10? There was a bug introduced in
linux-2.6.7, which prevented anyone to compile the iptables source
using linux-2.6.7.

> > You should post the complete list of your rules in
> > all of the tables.
> >
> 	/sbin/iptables -P INPUT DROP
> 	/sbin/iptables -P FORWARD DROP
> 	/sbin/iptables -P OUTPUT DROP

What about the nat/mangle/raw tables?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

RE: Allow active and passive FTP connections

[Sagara Wijetunga]

--- Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> wrote:
> Are you sure, you run the kernel indicated?
> 
uname -a
Linux svr1.myDomain 2.6.7 ...

> How did you compile iptables-1.2.10? There was a bug
> introduced in
> linux-2.6.7, which prevented anyone to compile the
> iptables source
> using linux-2.6.7.
> 
I exported the variable CC before I compile iptables
as follows:

CC="gcc -D__user= "
export CC

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man KERNEL_DIR=/usr/src/linux-2.6.7
>& iptables-make.log

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man install
KERNEL_DIR=/usr/src/linux-2.6.7  >&
iptables-install.log

Anyway, my problem is nothing to do with Linux kernel
2.6.7. The RELATED did not work on kernel 2.6.5 and
iptables 1.2.9. That's why I upgraded the kernel and
the iptables.

> > > You should post the complete list of your rules
> in
> > > all of the tables.
> > >
> > 	/sbin/iptables -P INPUT DROP
> > 	/sbin/iptables -P FORWARD DROP
> > 	/sbin/iptables -P OUTPUT DROP
> 
> What about the nat/mangle/raw tables?
> 
I do not use NAT. It does not operate as a router.
Therefore, no IP forwarding. It's not connected to any
office LAN. Access is only thru the eth0.

I'm not sure about mangle and raw tables. My intention
is to allow access only to the services I offer.

Do I have to use mangle and raw tables? 

Could you kindly write for me a complete iptables
firewall allowing access ONLY to the FTP and ssh? I
know this is a crazy request. But I can implement it
on my server and test. So our test firewall should be
able to accept active as well as passive FTP client
connections for file upload and download and ssh
access for me to manipulate the server.

Kind regards
Sagara


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

RE: Allow active and passive FTP connections

[Piszcz, Justin Michael]

This is one of the first iptables firewalls I made (2-3 years ago) and
it does exactly that.
Let me know if it works for you, thanks.

fw_start() { 
#######################################
# STEP 1 - SET VARIABLES 
#######################################
# YOUR LOCAL LOOPBACK DEVICE
LB="lo"
# YOUR PRIVATE INTERFACE 
LAN="eth0"
# YOUR PRIVATE LAN IP
LIP="192.168.0.253"
# YOUR LOCAL AREA NETWORK
LSAT="192.168.0.0/24"
# YOUR INTERNET INTERFACE
INET="eth1"
# THE PATH TO IPTABLES
IPTABLES="/usr/sbin/iptables"
#######################################
# STEP 2 - TURN ON IP FORWARDING
#######################################
echo "1" > /proc/sys/net/ipv4/ip_forward
#######################################
# STEP 3 - FLUSH EXISTING RULES
#######################################
$IPTABLES --flush INPUT 
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
#######################################
# STEP 4 - SET DEFAULT POLICIES
#######################################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################
# STEP 5 - CREATE DEFAULT BLOCK CHAIN 
#######################################
$IPTABLES -N BLOCK 
$IPTABLES -A BLOCK -j LOG --log-level 3 --log-prefix "BLOCK: "
$IPTABLES -A BLOCK -j DROP
#######################################
# STEP 6 - SETUP MASQUERADING
#######################################
$IPTABLES -t nat -A POSTROUTING -o $INET -j MASQUERADE
#######################################
# STEP 7 - ALLOW LOCAL ENTITIES 
#######################################
# ALLOW LOOPBACK
$IPTABLES -A INPUT -i $LB -j ACCEPT 
# ALLOW LOCAL AREA NETWORK
$IPTABLES -A INPUT -i $LAN -s $LSAT -j ACCEPT
#######################################
# STEP 8 - ALLOW SPECIFC TRAFFIC
#######################################
# EXAMPLE OF WHERE AND HOW TO ALLOW INBOUND TRAFFIC.
$IPTABLES -A INPUT -i $INET -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $INET -p tcp --dport 22 -j ACCEPT
#######################################
# STEP 9 - ALLOW IN WHAT WE SEND OUT
#######################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#######################################
# STEP 10 - DENY EVERYTHING NOT ALLOWED
#######################################
$IPTABLES -A INPUT -j BLOCK
#######################################
} 

fw_stop() {
IPTABLES="/usr/sbin/iptables"
$IPTABLES --flush INPUT
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
$IPTABLES --flush BLOCK
$IPTABLES --delete-chain BLOCK
}

fw_restart() {
  fw_stop
  fw_start
}
 
case "$1" in
'start')
  fw_start
  ;;
'stop')
  fw_stop
  ;;
'restart')
  fw_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Sagara
Wijetunga
Sent: Monday, June 21, 2004 6:57 AM
To: netfilter@lists.netfilter.org
Subject: RE: Allow active and passive FTP connections

--- Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> wrote:
> Are you sure, you run the kernel indicated?
> 
uname -a
Linux svr1.myDomain 2.6.7 ...

> How did you compile iptables-1.2.10? There was a bug
> introduced in
> linux-2.6.7, which prevented anyone to compile the
> iptables source
> using linux-2.6.7.
> 
I exported the variable CC before I compile iptables
as follows:

CC="gcc -D__user= "
export CC

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man KERNEL_DIR=/usr/src/linux-2.6.7
>& iptables-make.log

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man install
KERNEL_DIR=/usr/src/linux-2.6.7  >&
iptables-install.log

Anyway, my problem is nothing to do with Linux kernel
2.6.7. The RELATED did not work on kernel 2.6.5 and
iptables 1.2.9. That's why I upgraded the kernel and
the iptables.

> > > You should post the complete list of your rules
> in
> > > all of the tables.
> > >
> > 	/sbin/iptables -P INPUT DROP
> > 	/sbin/iptables -P FORWARD DROP
> > 	/sbin/iptables -P OUTPUT DROP
> 
> What about the nat/mangle/raw tables?
> 
I do not use NAT. It does not operate as a router.
Therefore, no IP forwarding. It's not connected to any
office LAN. Access is only thru the eth0.

I'm not sure about mangle and raw tables. My intention
is to allow access only to the services I offer.

Do I have to use mangle and raw tables? 

Could you kindly write for me a complete iptables
firewall allowing access ONLY to the FTP and ssh? I
know this is a crazy request. But I can implement it
on my server and test. So our test firewall should be
able to accept active as well as passive FTP client
connections for file upload and download and ssh
access for me to manipulate the server.

Kind regards
Sagara


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

RE: Allow active and passive FTP connections

[Sagara Wijetunga]

--- "Piszcz, Justin Michael"
<justin.piszcz@mitretek.org> wrote:
> This is one of the first iptables firewalls I made
> (2-3 years ago) and
> it does exactly that.
> Let me know if it works for you, thanks.
>
Thanks for your sample firewall.

My server is not connected to a LAN. Therefore, I have
disabled your LAN related rules. All modifications are
highlighted with "<<== Sagara".  

This is what I have tried:

#!/bin/sh

fw_start() { 
#######################################
# STEP 1 - SET VARIABLES 
#######################################
# YOUR LOCAL LOOPBACK DEVICE
LB="lo"
# YOUR PRIVATE INTERFACE 
#LAN="eth0"	<<== Sagara
# YOUR PRIVATE LAN IP
#LIP="192.168.0.253"	<<== Sagara
# YOUR LOCAL AREA NETWORK
#LSAT="192.168.0.0/24"	<<== Sagara
# YOUR INTERNET INTERFACE
#INET="eth1"	<<== Sagara
INET="eth0"
# THE PATH TO IPTABLES
#IPTABLES="/usr/sbin/iptables"	<<== Sagara
IPTABLES="/sbin/iptables"
#######################################
# STEP 2 - TURN ON IP FORWARDING
#######################################
#echo "1" > /proc/sys/net/ipv4/ip_forward <<== Sagara
#######################################
# STEP 3 - FLUSH EXISTING RULES
#######################################
$IPTABLES --flush INPUT 
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
#######################################
# STEP 4 - SET DEFAULT POLICIES
#######################################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################
# STEP 5 - CREATE DEFAULT BLOCK CHAIN 
#######################################
$IPTABLES -N BLOCK 
$IPTABLES -A BLOCK -j LOG --log-level 3 --log-prefix
"BLOCK: "
$IPTABLES -A BLOCK -j DROP
#######################################
# STEP 6 - SETUP MASQUERADING
#######################################
#$IPTABLES -t nat -A POSTROUTING -o $INET -j
MASQUERADE	<<== Sagara
#######################################
# STEP 7 - ALLOW LOCAL ENTITIES 
#######################################
# ALLOW LOOPBACK
$IPTABLES -A INPUT -i $LB -j ACCEPT 
# ALLOW LOCAL AREA NETWORK
#$IPTABLES -A INPUT -i $LAN -s $LSAT -j ACCEPT	<<==
Sagara
#######################################
# STEP 8 - ALLOW SPECIFC TRAFFIC
#######################################
# EXAMPLE OF WHERE AND HOW TO ALLOW INBOUND TRAFFIC.
$IPTABLES -A INPUT -i $INET -p tcp --dport 21 -j
ACCEPT
$IPTABLES -A INPUT -i $INET -p tcp --dport 22 -j
ACCEPT
#######################################
# STEP 9 - ALLOW IN WHAT WE SEND OUT
#######################################
$IPTABLES -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
#######################################
# STEP 10 - DENY EVERYTHING NOT ALLOWED
#######################################
$IPTABLES -A INPUT -j BLOCK
#######################################
} 

fw_stop() {
#IPTABLES="/usr/sbin/iptables"	<<== Sagara
IPTABLES="/sbin/iptables"
$IPTABLES --flush INPUT
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
$IPTABLES --flush BLOCK
$IPTABLES --delete-chain BLOCK
}

fw_restart() {
  fw_stop
  fw_start
}
 
case "$1" in
'start')
  fw_start
  ;;
'stop')
  fw_stop
  ;;
'restart')
  fw_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

This is the result of passive FTP connect try:

Jun 21 22:56:07 svr1 kernel: BLOCK: IN=eth0 OUT=
MAC=00:e0:29:34:b3:58:00:e0:29:34:bb:36:08:00
SRC=[client IP addr] DST=[server IP addr] LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=61616 DF PROTO=TCP
SPT=32936 DPT=64638 WINDOW=5840 RES=0x00 SYN URGP=0

Pls let me know have I made a mistake. 

Kind regards
Sagara



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail

RE: Allow active and passive FTP connections

[Piszcz, Justin Michael]

I see..

Some questions for you:

You are running the IP connection tracker for FTP in the KERNEL or
MODULE?
You are running the FTP daemon on port 21?
You are *NOT* running an (SSL) FTP daemon, correct? (The current
conntrack module for FTP does _NOT_ support this).


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Sagara
Wijetunga
Sent: Monday, June 21, 2004 10:56 AM
To: netfilter@lists.netfilter.org
Subject: RE: Allow active and passive FTP connections

--- "Piszcz, Justin Michael"
<justin.piszcz@mitretek.org> wrote:
> This is one of the first iptables firewalls I made
> (2-3 years ago) and
> it does exactly that.
> Let me know if it works for you, thanks.
>
Thanks for your sample firewall.

My server is not connected to a LAN. Therefore, I have
disabled your LAN related rules. All modifications are
highlighted with "<<== Sagara".  

This is what I have tried:

#!/bin/sh

fw_start() { 
#######################################
# STEP 1 - SET VARIABLES 
#######################################
# YOUR LOCAL LOOPBACK DEVICE
LB="lo"
# YOUR PRIVATE INTERFACE 
#LAN="eth0"	<<== Sagara
# YOUR PRIVATE LAN IP
#LIP="192.168.0.253"	<<== Sagara
# YOUR LOCAL AREA NETWORK
#LSAT="192.168.0.0/24"	<<== Sagara
# YOUR INTERNET INTERFACE
#INET="eth1"	<<== Sagara
INET="eth0"
# THE PATH TO IPTABLES
#IPTABLES="/usr/sbin/iptables"	<<== Sagara
IPTABLES="/sbin/iptables"
#######################################
# STEP 2 - TURN ON IP FORWARDING
#######################################
#echo "1" > /proc/sys/net/ipv4/ip_forward <<== Sagara
#######################################
# STEP 3 - FLUSH EXISTING RULES
#######################################
$IPTABLES --flush INPUT 
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
#######################################
# STEP 4 - SET DEFAULT POLICIES
#######################################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################
# STEP 5 - CREATE DEFAULT BLOCK CHAIN 
#######################################
$IPTABLES -N BLOCK 
$IPTABLES -A BLOCK -j LOG --log-level 3 --log-prefix
"BLOCK: "
$IPTABLES -A BLOCK -j DROP
#######################################
# STEP 6 - SETUP MASQUERADING
#######################################
#$IPTABLES -t nat -A POSTROUTING -o $INET -j
MASQUERADE	<<== Sagara
#######################################
# STEP 7 - ALLOW LOCAL ENTITIES 
#######################################
# ALLOW LOOPBACK
$IPTABLES -A INPUT -i $LB -j ACCEPT 
# ALLOW LOCAL AREA NETWORK
#$IPTABLES -A INPUT -i $LAN -s $LSAT -j ACCEPT	<<==
Sagara
#######################################
# STEP 8 - ALLOW SPECIFC TRAFFIC
#######################################
# EXAMPLE OF WHERE AND HOW TO ALLOW INBOUND TRAFFIC.
$IPTABLES -A INPUT -i $INET -p tcp --dport 21 -j
ACCEPT
$IPTABLES -A INPUT -i $INET -p tcp --dport 22 -j
ACCEPT
#######################################
# STEP 9 - ALLOW IN WHAT WE SEND OUT
#######################################
$IPTABLES -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
#######################################
# STEP 10 - DENY EVERYTHING NOT ALLOWED
#######################################
$IPTABLES -A INPUT -j BLOCK
#######################################
} 

fw_stop() {
#IPTABLES="/usr/sbin/iptables"	<<== Sagara
IPTABLES="/sbin/iptables"
$IPTABLES --flush INPUT
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
$IPTABLES --flush BLOCK
$IPTABLES --delete-chain BLOCK
}

fw_restart() {
  fw_stop
  fw_start
}
 
case "$1" in
'start')
  fw_start
  ;;
'stop')
  fw_stop
  ;;
'restart')
  fw_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

This is the result of passive FTP connect try:

Jun 21 22:56:07 svr1 kernel: BLOCK: IN=eth0 OUT=
MAC=00:e0:29:34:b3:58:00:e0:29:34:bb:36:08:00
SRC=[client IP addr] DST=[server IP addr] LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=61616 DF PROTO=TCP
SPT=32936 DPT=64638 WINDOW=5840 RES=0x00 SYN URGP=0

Pls let me know have I made a mistake. 

Kind regards
Sagara



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail

RE: Allow active and passive FTP connections

[Sagara Wijetunga]

--- "Piszcz, Justin Michael"
<justin.piszcz@mitretek.org> wrote:
> I see..
> 
> Some questions for you:
> 
> You are running the IP connection tracker for FTP in
> the KERNEL or
> MODULE?
IP connection tracker for FTP in kernel, not as a
module.

> You are running the FTP daemon on port 21?
Yep, on the port 21

> You are *NOT* running an (SSL) FTP daemon, correct?
> (The current
> conntrack module for FTP does _NOT_ support this).
> 
really? I run a SSL based FTP daemon. 

Let me disable SSL, try and see. 

But I *really* need to use a SSL/TLS based FTP server.
Is there any workaround?

Sagara




		
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail 

RE: Allow active and passive FTP connections

[Sagara Wijetunga]

--- "Piszcz, Justin Michael"
<justin.piszcz@mitretek.org> wrote:
> You are *NOT* running an (SSL) FTP daemon, correct?
> (The current
> conntrack module for FTP does _NOT_ support this).
> 
You are right! I disabled SSL from the FTP server. Now
the RELATED rule *works* as I expected for both active
and passive FTP connections.

Thank you very much to highlight it to me. Is there a
workaround for this?

kind regards
Sagara




	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

RE: Allow active and passive FTP connections

[Piszcz, Justin Michael]

If you find one (that works with TLS/SSL), please let me know :)
Sorry I have not seen one as of yet.

Justin.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Sagara
Wijetunga
Sent: Monday, June 21, 2004 11:43 AM
To: netfilter@lists.netfilter.org
Subject: RE: Allow active and passive FTP connections

--- "Piszcz, Justin Michael"
<justin.piszcz@mitretek.org> wrote:
> You are *NOT* running an (SSL) FTP daemon, correct?
> (The current
> conntrack module for FTP does _NOT_ support this).
> 
You are right! I disabled SSL from the FTP server. Now
the RELATED rule *works* as I expected for both active
and passive FTP connections.

Thank you very much to highlight it to me. Is there a
workaround for this?

kind regards
Sagara




	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

RE: Allow active and passive FTP connections

[Sagara Wijetunga]

--- "Piszcz, Justin Michael"
<justin.piszcz@mitretek.org> wrote:
> If you find one (that works with TLS/SSL), please
> let me know :)
> Sorry I have not seen one as of yet.
> 
I wonder is it an issue with the conntrack module or
the FTP server. May be Jozsef Kadlecsik could shed
some light on this. 

If the FTP server side has to be fixed, I could take
it up with the FTP server folks.

kind regards
Sagara

> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On
> Behalf Of Sagara
> Wijetunga
> Sent: Monday, June 21, 2004 11:43 AM
> To: netfilter@lists.netfilter.org
> Subject: RE: Allow active and passive FTP
> connections
> 
> --- "Piszcz, Justin Michael"
> <justin.piszcz@mitretek.org> wrote:
> > You are *NOT* running an (SSL) FTP daemon,
> correct?
> > (The current
> > conntrack module for FTP does _NOT_ support this).
> > 
> You are right! I disabled SSL from the FTP server.
> Now
> the RELATED rule *works* as I expected for both
> active
> and passive FTP connections.
> 
> Thank you very much to highlight it to me. Is there
> a
> workaround for this?
> 
> kind regards
> Sagara
> 
> 
> 
> 
> 	
> 		
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail 
> 
> 
> 
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

RE: Allow active and passive FTP connections

[Jozsef Kadlecsik]

On Mon, 21 Jun 2004, Sagara Wijetunga wrote:

> --- "Piszcz, Justin Michael"
> <justin.piszcz@mitretek.org> wrote:
> > If you find one (that works with TLS/SSL), please
> > let me know :)
> > Sorry I have not seen one as of yet.
> >
> I wonder is it an issue with the conntrack module or
> the FTP server. May be Jozsef Kadlecsik could shed
> some light on this.

The FTP server encrypts the command channel, so the kernel cannot figure
out on which port will the server (passive) or client (active) listen for
the data channel.

> If the FTP server side has to be fixed, I could take
> it up with the FTP server folks.

Currently there is no solution. When nfnetlink-ctnetlink is completed,
the FTP server could be patched to notify the kernel on the data ports it
wants to open or connect to, which would solve the problem.

As an alternative, you could use sftp instead.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

RE: Allow active and passive FTP connections

[Sagara Wijetunga]

--- Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> wrote:
> Currently there is no solution. When
> nfnetlink-ctnetlink is completed,
> the FTP server could be patched to notify the kernel
> on the data ports it
> wants to open or connect to, which would solve the
> problem.
> 
> As an alternative, you could use sftp instead.
> 
Now I know what caused to drop the FTP data channel
connection packets and currently there is no solution.


Thanks for all those who comment on this issue.

Kind regards
Sagara


	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail