Re: FTP Connection problems.

[Aleksandar Milivojevic <amilivojevic@pbl.ca>]

Vincent Blondel wrote:
> Thanks a lot for all the details but I still get some problems. As I
> said it all the netfilter source code is compiled in a custom kernel
> without any modules. 
> 
> Concerning the little iptables script I have written, I updated it with
> your comments and now I get the next script 

[snip]

> if [ "$CONN_TRACK" = "1" ]; then
>         $fw -A INPUT -m state --state ESTABLISHED -j ACCEPT
>         $fw -A OUTPUT -m state --state ESTABLISHE -j ACCEPT
>         $fw -A FORWARD -m state --state ESTABLISHED -j ACCEPT
>         $fw -A INPUT -p icmp -m state --state RELATED -j ACCEPT
> fi

Add these too:

$fw -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT
$fw -A FORWARD -p icmp -m state --state RELATED -j ACCEPT

> ... but the connection takes a long time to terminate. If I disable all
> the rules, ftp connection goes directly but with iptables enabled it
> takes such 8 seconds to accomplish the annonymomus connection ( with
> data port and passive models ).
> 
> What is this all about ???

You could use a bit of logging.  Add these as last rules (at the very 
end of your script):

iptables -A INPUT -j LOG --log-prefix "INPUT "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT "
iptables -A FORWARD -j LOG --log-prefix "FORWARD "

Logs will go wherever your kernel logs go.  Usually /var/log/messages.

Since these will be at the end of your rules, they will log all packets 
dropped by policy just before they are dropped.  My guess is that you 
will either find TCP SYN packets to port 113 (ident) or UDP packets to 
port 53 (DNS).

To silently disable ident (incoming and outgoing) on FTP server, you 
could do something like this (you can add line for FORWARDED packets, if 
you wish):

iptables -A INPUT -p tcp --sport 1024: --dport 113 \
    -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp --sport 1024: --dport 113 \
    -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp --sport 113 --dport 1024: \
    -m state --state RELATED -j ACCEPT

If you want your FTP server to be able to resolve names and reverse 
lookup IP addresses:

iptables -A OUTPUT -p udp --sport 1024: --dport 53 \
    -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 53 \
    -m state --state NEW -j ACCEPT

(you can add IP address(es) of your DNS server(s) there)

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7