iptables / FTP masquerading: Port command illega

iptables / FTP masquerading: Port command illega

[amateurguy]

Hi Everyone,

I finally got my FTP server working on my Red Hat 9 Linux firewall box. For 
some reason, I could only get it to work on a port other than 21. I elected for 
port 29 and changed /etc/services ftp entry and my firewally rules accordingly. 
For some reason, if I change back to 21, no response sent by ftp server to syn 
pkt from client ftp. If anyone has any ideas why it works on any other port 
than 21, please let me know.

Anyways, i got passive mode ftp to work on this box. However, active mode 
fails. and it complains:
ftp> dir
500 Illegal PORT command.
ftp: bind: Address already in use

When i look at the packets, I see the client sending a Port cmd using its non-
routable IP. This then passes through a firewall, and the source IP gets 
translated to a public IP. Then hits my Linux firewall and I the vsftpd process 
it and sends back that Illegal port response.

My firewall is using DHCP over my DSL connection. Hence I am using MASQUERADING 
in iptables:

-A POSTROUTING -o eth1 -j MASQUERADE

modules in memory are:

ip_conntrack_ftp 5296 1 (autoclean)
ip_nat_ftp 4112 0 (unused)
iptable_mangle 2776 0 (autoclean) (unused)
ipt_MASQUERADE 2200 1 (autoclean)
iptable_nat 21720 2 (autoclean) [ip_nat_ftp ipt_MASQUERADE]
ipt_state 1048 10 (autoclean)
ip_conntrack 26976 3 (autoclean) [ip_conntrack_ftp ip_nat_ftp ipt_MASQUERADE 
iptable_nat ipt_state]
iptable_filter 2412 1 (autoclean)
ip_tables 15096 7 [iptable_mangle ipt_MASQUERADE iptable_nat ipt_state 
iptable_filter]

Anybody know whats going on?

My actual firewall rules are:

filter table:
-A INPUT  -p tcp -m tcp -i eth1 --sport 1024: --dport 20:21 -j ACCEPT
-A OUTPUT -p tcp -m tcp -o eth1 --sport 20:21 --dport 1024: -j ACCEPT
-A INPUT -i eth1 -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLI
SHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHE
D,RELATED -j ACCEPT
-A INPUT  -i eth1 -p tcp --dport 29 -m state --state NEW,ESTABLISHED  -j ACCEPT
-A OUTPUT -o eth1 -p tcp --sport 29 -m state --state ESTABLISHED,RELATED -j ACCE
PT
-A INPUT  -i eth1 -p tcp --dport 20 -m state --state NEW,ESTABLISHED  -j ACCEPT
-A OUTPUT -o eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCE
PT

nat table:
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE

Thanks Gurus!

Re: iptables / FTP masquerading: Port command illega

[Toby]

amateurguy@telus.net wrote:
> When i look at the packets, I see the client sending a Port cmd using
> its non-routable IP. This then passes through a firewall, and the
> source IP gets translated to a public IP.

The source IP does, but probably the IP inside the PORT command doesn't.
You need to load ip_nat_ftp in THAT firewall and tell it to monitor port
29 (you do that in the "modprobe ip_nat_ftp" commandline.)

Either that, or more simply configure the client ftp software and tell
it what its real ip address is.

I don't know if you can do anything on the server side.


As for that other problem (port 21 working differently than port 29) I
don't know, it could be anything.


Cheers
Toby

Re: iptables / FTP masquerading: Port command illega

[Jason Opperisano]

On Wed, Mar 23, 2005 at 07:12:58AM -0800, amateurguy@telus.net wrote:
> modules in memory are:
> 
> ip_conntrack_ftp 5296 1 (autoclean)
> ip_nat_ftp 4112 0 (unused)
> iptable_mangle 2776 0 (autoclean) (unused)
> ipt_MASQUERADE 2200 1 (autoclean)
> iptable_nat 21720 2 (autoclean) [ip_nat_ftp ipt_MASQUERADE]
> ipt_state 1048 10 (autoclean)
> ip_conntrack 26976 3 (autoclean) [ip_conntrack_ftp ip_nat_ftp ipt_MASQUERADE 
> iptable_nat ipt_state]
> iptable_filter 2412 1 (autoclean)
> ip_tables 15096 7 [iptable_mangle ipt_MASQUERADE iptable_nat ipt_state 
> iptable_filter]
> 
> Anybody know whats going on?

did you modprobe with:

	modprobe ip_conntrack_ftp ports=21,29
	modprobe ip_nat_ftp ports=21,29

-j

--
"Ah! the searing kiss of hot lead; how I missed you! I mean, I think
 I'm dying."
         --The Simpsons

Re: iptables / FTP masquerading: Port command illega

[amateurguy]

Hi There,

Thank you for the reply.  Nope, I hadn't tried it but just did.  I did an rmmod 
on each and then a modprobe just as outlined below and no change observed.   Do 
I need to reboot?  I even restarted iptables service.

Looked at the actual packets sent:

The inbound packet from the client is using a Port command using a non-routable 
IP which I would expect since the client doesn't know its sitting behind our 
corporate firewall.  When the packet is received by the LInux f/w box running 
vsftpd, naturally the source IP of the packet itself has been translated to a 
public IP and naturally, tcpdump  logs the packet on the external interface 
before the netfilter NAT subsystem event attempts to translate the inner Port 
command, so the Port commmd continues to use the internal, non-routable IP of 
the client.  The response from the fw to the client ftp station is the 
usual "500 Illegal PORT command".

What is interesting is that you mentioned to supply the ip_nat_ftp module with 
the port argument as well and when I do an lsmod, its unused still.  Is it 
supposed to be that way?  I would expect these two modules to handle the 
translation of the PORT command so that vsftpd will issue a connect on 
translated IP (hence public IP).  

Just curious too, with "trace" on in the ftp client, I get the "tp: bind: 
Address already in use" error.  Just to confirm, this bind failure is on the 
server side right?   Now, if that's the case, does it really have to do with 
the PORT IP argument right now ... or is it the two parameter port number in 
the PORT command that it doesn't like?   Since this is in active mode (passive 
works fine on port 29), the vsftpd should be taking that the PORT arguments and 
connecting back to the ftp client which should now be listening on that port 
using in its initial PORT cmd to the server and I don't see any outbound 
connection request (SYN pkts) so it really must be choking on the PORT cmd on 
the server.  But why?

Thanks everyone!

Quoting Jason Opperisano <opie@817west.com>:

> On Wed, Mar 23, 2005 at 07:12:58AM -0800, amateurguy@telus.net wrote:
> > modules in memory are:
> > 
> > ip_conntrack_ftp 5296 1 (autoclean)
> > ip_nat_ftp 4112 0 (unused)
> > iptable_mangle 2776 0 (autoclean) (unused)
> > ipt_MASQUERADE 2200 1 (autoclean)
> > iptable_nat 21720 2 (autoclean) [ip_nat_ftp ipt_MASQUERADE]
> > ipt_state 1048 10 (autoclean)
> > ip_conntrack 26976 3 (autoclean) [ip_conntrack_ftp ip_nat_ftp
> ipt_MASQUERADE 
> > iptable_nat ipt_state]
> > iptable_filter 2412 1 (autoclean)
> > ip_tables 15096 7 [iptable_mangle ipt_MASQUERADE iptable_nat ipt_state 
> > iptable_filter]
> > 
> > Anybody know whats going on?
> 
> did you modprobe with:
> 
> 	modprobe ip_conntrack_ftp ports=21,29
> 	modprobe ip_nat_ftp ports=21,29
> 
> -j
> 
> --
> "Ah! the searing kiss of hot lead; how I missed you! I mean, I think
>  I'm dying."
>          --The Simpsons
> 
>