Re: AW: IP_TABLES Q - Solved

["Andrew B. Cramer" <andrew.cramer@cramer-ts.com>]

Thanks Glynn & Bart!
	I did switch to 'passive' ftp and the workstations behave correctly. 
I will still try ip_conntrace_ftp when I get a chance. The bottom 
line, it's working.

Kinds Regards - Andrew Cramer

On 18 Feb 2003 at 1:04, Glynn Clements wrote:

> 
> Andrew B. Cramer wrote:
> 
> > 	In the interim, I did add for ports 20 & 21. same thing. Even Windoz 
> > FTP gives the same message. Here is a segment from my new script.
> > 
> > Thanks - Andrew
> > 
> > <snip>
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> > 
> > # Try this for FTP (ABC) - Did not work
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT 
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT 
> > 
> > # Reject telnet sessions from outside (Changed from 21 to 23)(ABC)
> > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23   -j REJECT </snip>
> 
> I believe that you need to use the ip_conntrack_ftp module to track
> the ports which are used. Note: I don't know the specifics of how to
> use it, but I'm pretty sure that this is the right module.
> 
> The traditional mechanism for establishing the data channel is to have
> the client create a listening socket on a randomly-numbered port. The
> client sends the IP address and port number to the server, which then
> makes an inbound (server -> client) connection.
> 
> To allow this through the firewall, you have to either:
> 
> 1. Allow all inbound TCP connections to unprivileged ports (>1024). 
> While you could filter with "--source-port 20", this doesn't really
> buy you anything; hack attempts often use port 20 to get through
> firewalls which are [mis]configured in this way.
> 
> 2. Have some code which monitors the traffic sent over the control
> channel, looking for the PORT commands (this is what ip_masq_ftp and
> ip_conntrack_ftp do), and enables inbound TCP connections on those
> ports.
> 
> However, if at all practical, you should forego the traditional
> ("active") mode of FTP in favour of passive mode. Here, all
> connections are outbound (client -> server).
> 
> For the standard "ftp" program, use the "passive" command (either
> interactively, or via ~/.netrc); GUI FTP clients typically have a
> "passive mode" check-box; Web browsers normally use passive mode
> automatically.
> 
> Nowadays, the main reason for supporting "active" FTP is if you have
> no choice, e.g. you are answerable to people who simply demand it.
> 
> -- 
> Glynn Clements <glynn.clements@virgin.net>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>