* FTP server
@ 2003-03-24 14:53 Chris Garringer
2003-03-24 15:49 ` Rob Sterenborg
0 siblings, 1 reply; 7+ messages in thread
From: Chris Garringer @ 2003-03-24 14:53 UTC (permalink / raw)
To: Netfilter List
I have an ftp server that I am using iptables for host-based firewall
(no routing). I set it up with LOG at the end of the rules and a DROP
policy on INPUT. Last week I could contact it from my desktop (RedHat
8.0) via command line or Mozilla with no problem. I came in this
morning a people could not list the directory , no PASV connections were
being accepted. The connection attempts showed in the log . Below is
my rule set:
where xxx.xxx.xxx.xxx is the ftp server address. xx.xx.xx.xx is
subnet/host for various items. What am I doing wrong? Active
connections work, but not passive.
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- <name server> xxx.xxx.xxx.xxx udp spt:domain
DROP udp -- anywhere anywhere udp
dpt:netbios-ns
ACCEPT icmp -- anywhere xxx.xxx.xxx.xxx icmp
echo-request
ACCEPT icmp -- anywhere xxx.xxx.xxx.xxx state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere xxx.xxx.xxx.xxx state
NEW,ESTABLISHED tcp dpt:ftp
ACCEPT tcp -- xx.xx.xx.xx/xx xxx.xxx.xxx.xxx tcp
dpt:ssh
ACCEPT tcp -- xx.xx.xx.xx/xx xxx.xxx.xxx.xxx tcp
dpt:ssh
ACCEPT tcp -- xx.xx.xx.xx xxx.xxx.xxx.xxx tcp
dpt:ssh
ACCEPT tcp -- ftp.tic.toshiba.com ftp.tic.toshiba.comtcp spt:smtp
ACCEPT tcp -- 10.0.112.32 xxx.xxx.xxx.xxx tcp
dpt:ssh
ACCEPT tcp -- 10.0.112.32 xxx.xxx.xxx.xxx tcp
spt:1984
ACCEPT tcp -- anywhere xxx.xxx.xxx.xxx state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere xxx.xxx.xxx.xxx tcp
spt:time
LOG all -- anywhere anywhere LOG level
warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--
Chris D. Garringer
Toshiba International
LAN/WAN Supervisor
713-466-0277 x3756
Certified Solaris Administrator
Microsoft Certified Engineer (NT)
RedHat Certified Engineer
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: FTP server
2003-03-24 14:53 FTP server Chris Garringer
@ 2003-03-24 15:49 ` Rob Sterenborg
2003-03-24 16:24 ` Chris Garringer
0 siblings, 1 reply; 7+ messages in thread
From: Rob Sterenborg @ 2003-03-24 15:49 UTC (permalink / raw)
To: 'Chris Garringer', 'Netfilter List'
> morning a people could not list the directory , no PASV
> connections were
> being accepted. The connection attempts showed in the log .
Are ip_conntrack_ftp and ip_nat_ftp loaded (if not in the kernel) ?
Rob
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: FTP server
2003-03-24 15:49 ` Rob Sterenborg
@ 2003-03-24 16:24 ` Chris Garringer
2003-03-24 18:00 ` Rob Sterenborg
0 siblings, 1 reply; 7+ messages in thread
From: Chris Garringer @ 2003-03-24 16:24 UTC (permalink / raw)
To: Rob Sterenborg; +Cc: 'Netfilter List'
No. lsmod shows ip_conntrack, ipt_state,iptable_filter, ip_tables,
ipt_LOG . This server is running RedHat 7.3 with a RH kernel, I have
not re-compiled the kernel. I tried loading ip_conntrack_ftp once
(insmod) and lsmod showed it in, but unused.
On Mon, 2003-03-24 at 09:49, Rob Sterenborg wrote:
> > morning a people could not list the directory , no PASV
> > connections were
> > being accepted. The connection attempts showed in the log .
>
> Are ip_conntrack_ftp and ip_nat_ftp loaded (if not in the kernel) ?
>
>
> Rob
>
--
Chris D. Garringer
Toshiba International
LAN/WAN Supervisor
713-466-0277 x3756
Certified Solaris Administrator
Microsoft Certified Engineer (NT)
RedHat Certified Engineer
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: FTP server
2003-03-24 16:24 ` Chris Garringer
@ 2003-03-24 18:00 ` Rob Sterenborg
2003-03-24 18:15 ` Chris Garringer
0 siblings, 1 reply; 7+ messages in thread
From: Rob Sterenborg @ 2003-03-24 18:00 UTC (permalink / raw)
To: 'Chris Garringer'; +Cc: 'Netfilter List'
> No. lsmod shows ip_conntrack, ipt_state,iptable_filter, ip_tables,
> ipt_LOG . This server is running RedHat 7.3 with a RH kernel, I have
> not re-compiled the kernel. I tried loading ip_conntrack_ftp once
> (insmod) and lsmod showed it in, but unused.
Unused doesn't mean it doesn't work. It means that *no other* module is
using *that* module.
Here you can see what I mean.
[rob@firewall rob]$ lsmod
<...>
ip_conntrack_ftp 5056 1 (autoclean)
ip_nat_ftp 3936 0 (unused)
iptable_nat 20820 3 (autoclean) [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack 26508 5 (autoclean) [ipt_MASQUERADE ipt_state
ip_conntrack_ftp ip_nat_ftp iptable_nat]
<...>
iptable_nat is being used by ipt_MASQUERADE and ip_nat_ftp.
ip_conntrack is being used by ipt_MASQUERADE, ipt_state,
ip_conntrack_ftp and ip_nat_ftp.
A look in my original modules (RH73 kernel 2.4.18-3) and I'm seeing :
ip_conntrack_ftp.o
ip_nat_ftp.o
Which means you should have these too.
You need it for passive ftp.
So, if you load the modules ; does it work then ?
Gr,
Rob
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: FTP server
2003-03-24 18:00 ` Rob Sterenborg
@ 2003-03-24 18:15 ` Chris Garringer
0 siblings, 0 replies; 7+ messages in thread
From: Chris Garringer @ 2003-03-24 18:15 UTC (permalink / raw)
To: Rob Sterenborg; +Cc: 'Netfilter List'
I loaded ip_conntrack_ftp, the nat_ftp received a lot of errors.
However I am not nat'ing on the box, the NAT is done by the firewall
ahead of it. With ip_conntrack_ftp loaded the passive connections are
no longer making the log file, so it appears to be working. Does this
have to be loaded manually or should it be loading automatically?
On Mon, 2003-03-24 at 12:00, Rob Sterenborg wrote:
> > No. lsmod shows ip_conntrack, ipt_state,iptable_filter, ip_tables,
> > ipt_LOG . This server is running RedHat 7.3 with a RH kernel, I have
> > not re-compiled the kernel. I tried loading ip_conntrack_ftp once
> > (insmod) and lsmod showed it in, but unused.
>
> Unused doesn't mean it doesn't work. It means that *no other* module is
> using *that* module.
> Here you can see what I mean.
>
> [rob@firewall rob]$ lsmod
> <...>
> ip_conntrack_ftp 5056 1 (autoclean)
> ip_nat_ftp 3936 0 (unused)
> iptable_nat 20820 3 (autoclean) [ipt_MASQUERADE ip_nat_ftp]
> ip_conntrack 26508 5 (autoclean) [ipt_MASQUERADE ipt_state
> ip_conntrack_ftp ip_nat_ftp iptable_nat]
> <...>
>
> iptable_nat is being used by ipt_MASQUERADE and ip_nat_ftp.
> ip_conntrack is being used by ipt_MASQUERADE, ipt_state,
> ip_conntrack_ftp and ip_nat_ftp.
>
> A look in my original modules (RH73 kernel 2.4.18-3) and I'm seeing :
> ip_conntrack_ftp.o
> ip_nat_ftp.o
> Which means you should have these too.
>
> You need it for passive ftp.
> So, if you load the modules ; does it work then ?
>
>
> Gr,
> Rob
>
--
Chris D. Garringer
Toshiba International
LAN/WAN Supervisor
713-466-0277 x3756
Certified Solaris Administrator
Microsoft Certified Engineer (NT)
RedHat Certified Engineer
^ permalink raw reply [flat|nested] 7+ messages in thread
* ftp server
@ 2005-05-29 8:44 it clown
2005-05-30 10:09 ` Jörg Harmuth
0 siblings, 1 reply; 7+ messages in thread
From: it clown @ 2005-05-29 8:44 UTC (permalink / raw)
To: netfilter
Hi All,
I have a ftp server running on the box connected to the
internet with iptables. I would like to allow ftp passive
connections.I have done the following and it does not want
to work:
iptables -A INPUT -p tcp --sport 21 -m state --state
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m
state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m
state --state ESTABLISHED,RELATED -j ACCEPT
I have done the following and it works but it is not
passive:
iptables -A INPUT -p tcp -m multiport --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 21 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
What are the best rules to allow ftp passive connections?
I also did load ip_conntrack_ftp.
Thanks
Regards
_____________________________________________________________________
For super low premiums, click here http://www.dialdirect.co.za/quote
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ftp server
2005-05-29 8:44 ftp server it clown
@ 2005-05-30 10:09 ` Jörg Harmuth
0 siblings, 0 replies; 7+ messages in thread
From: Jörg Harmuth @ 2005-05-30 10:09 UTC (permalink / raw)
To: netfilter
Hi,
it clown schrieb:
>Hi All,
>
>I have a ftp server running on the box connected to the
>internet with iptables. I would like to allow ftp passive
>connections.I have done the following and it does not want
>to work:
>
>
Let me summarize this to be sure I got it. On your internet box runs a
ftp server and
iptables and you want to allow passive FTP _to_ your box. Right ?
>iptables -A INPUT -p tcp --sport 21 -m state --state
>ESTABLISHED -j ACCEPT
>iptables -A OUTPUT -p tcp --dport 21 -m state --state
>NEW,ESTABLISHED -j ACCEPT
>iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m
>state --state ESTABLISHED -j ACCEPT
>iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m
>state --state ESTABLISHED,RELATED -j ACCEPT
>
>
If I'm right you should swap --sport and --dport to something like this:
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
This should work.
HTH and have a nice time,
Joerg
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-05-30 10:09 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-29 8:44 ftp server it clown
2005-05-30 10:09 ` Jörg Harmuth
-- strict thread matches above, loose matches on Subject: below --
2003-03-24 14:53 FTP server Chris Garringer
2003-03-24 15:49 ` Rob Sterenborg
2003-03-24 16:24 ` Chris Garringer
2003-03-24 18:00 ` Rob Sterenborg
2003-03-24 18:15 ` Chris Garringer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.