common FTP+NAT problem

common FTP+NAT problem

[Ernesto Silva]

Hi,
    I'm having a problem to access internet ftp servers from my internal network. I understand the ftp connection but I 
don't have enough information about ip_conntrack_ftp and ip_nat_ftp modules, so here is my situation.

I'm using iptables 1.3.3-3, I have the mentioned modules loaded and wrote the following rules:

_fwd="iptables -A FORWARD"
_nat="iptables -A POSTROUTING"

$_fwd -i $INT_IF -p tcp -s $INT_NET --sport 1024: -o $INET_IF --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$_fwd -i $INET_IF -p tcp --sport 21 -o $INT_IF -d $INT_NET --dport 1024: -m state --state     ESTABLISHED,RELATED -j ACCEPT
$_nat -p tcp -s $INT_NET --sport 1024: -o $INET_IF --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j SNAT --to $INET_NIC


Are those rules enough? or do I need to set some rules for port 20 in both active and passive mode?

What is the ip_conntrack_ftp and ip_nat_ftp modules functionality?

Best regards,
--
Ing. Ernesto Silva.
Coordinador de Desarrollo Web y Sistemas Abiertos
Universidad ORT Uruguay.
E-mail: silva@ort.edu.uy
Tel: (+598-2) 902-1505 ext. 206

Re: common FTP+NAT problem

[former03 | Baltasar Cevc]

Hi Ernesto, hi everybody,

> _fwd="iptables -A FORWARD"
> _nat="iptables -A POSTROUTING"

Postrouting is in the nat table, so you have to add "-t nat" to _nat 
and make it
    _nat="iptables -t nat -A POSTROUTING"

>    I'm having a problem to access internet ftp servers from my 
> internal network. I understand the ftp connection but I don't have 
> enough information about ip_conntrack_ftp and ip_nat_ftp modules, so 
> here is my situation.

Apart from that you will need more rules for FTP, that's the tricky 
part. What worked well for me was using vsftpd with a port 
specifiaction for the data connections and allow these ports in 
INPUT|FORWARD.
It may work using the ftp conntack module, but I don't know anything 
about that. You will have to add some port 20 rule, though.

Baltasar

--
Baltasar Cevc

_____ former 03 gmbh
_____ infanteriestrafle 19 haus 6 eg
_____ D-80797 muenchen

_____ http://www.former03.de

Re: common FTP+NAT problem

[former03 | Baltasar Cevc]

Hi Ernesto,

> Sorry, it was a typo, _nat is defined as "iptables -t nat -A 
> POSTROUTING" so thats not the problem.
>
> I was not clear enough, I don't have an ftp server, I just want to 
> access internet ftp servers from my internal network which is 
> protected by the firewall. The firewall itself don't have any other 
> running service but iptables.

sorry, I probably didn't read your mail well enough.
You need some other rule for the data connection then, I assume it 
should look like this, but it's a long time ago I needed that for the 
last time:

Active mode (server initiates a client connection)
$_fwd -i $INET_IF -o $INT_IF -p tcp --sport 20 --dport ! 0:1023 -m 
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
(which is probably what you've tried, but you used port 21 instead of 
20 whicht is the ftp-data port)
Passive mode (client initiates connection
$_fwd -i $INT_IF -o $INET_IF -p tcp --sport ! 0:1023 --dport 20 -m 
state --state NEW,ESTABLISHED,RELATED -j ACCEPT

(For details about how the connection process for FTP works, just 
google for "ftp active passive mode", for example this looked quite 
clear to me: http://slacksite.com/other/ftp.html)

I assume the ftp conntrack will automatically handle the nat, but I'm 
not 100% sure, so perhaps try to monitor that using tcpdump or wait for 
another answer from the list ;-)

Hope it works,

-- Baltasar

Baltasar Cevc

_____ former 03 gmbh
_____ infanteriestrafle 19 haus 6 eg
_____ D-80797 muenchen

_____ http://www.former03.de

Re: common FTP+NAT problem

[Ernesto Silva]

Hi Baltasar,

Sorry, it was a typo, _nat is defined as "iptables -t nat -A POSTROUTING" so thats not the problem.

I was not clear enough, I don't have an ftp server, I just want to access internet ftp servers from my internal network
which is protected by the firewall. The firewall itself don't have any other running service but iptables.

Regards, and many thanks,
-- 
Ing. Ernesto Silva.
Coordinador de Desarrollo Web y Sistemas Abiertos
Universidad ORT Uruguay.
E-mail: silva@ort.edu.uy
Tel: (+598-2) 902-1505 ext. 206


former03 | Baltasar Cevc wrote:
> Hi Ernesto, hi everybody,
> 
>> _fwd="iptables -A FORWARD"
>> _nat="iptables -A POSTROUTING"
> 
> 
> Postrouting is in the nat table, so you have to add "-t nat" to _nat and 
> make it
>    _nat="iptables -t nat -A POSTROUTING"
> 
>>    I'm having a problem to access internet ftp servers from my 
>> internal network. I understand the ftp connection but I don't have 
>> enough information about ip_conntrack_ftp and ip_nat_ftp modules, so 
>> here is my situation.
> 
> 
> Apart from that you will need more rules for FTP, that's the tricky 
> part. What worked well for me was using vsftpd with a port specifiaction 
> for the data connections and allow these ports in INPUT|FORWARD.
> It may work using the ftp conntack module, but I don't know anything 
> about that. You will have to add some port 20 rule, though.
> 
> Baltasar
> 
> -- 
> Baltasar Cevc
> 
> _____ former 03 gmbh
> _____ infanteriestraße 19 haus 6 eg
> _____ D-80797 muenchen
> 
> _____ http://www.former03.de
> 
> 

Re: common FTP+NAT problem

[Pascal Hambourg]

Hello,

Ernesto Silva a écrit :
>    I'm having a problem to access internet ftp servers from my internal 
> network. I understand the ftp connection but I don't have enough 
> information about ip_conntrack_ftp and ip_nat_ftp modules, so here is my 
> situation.
> 
> I'm using iptables 1.3.3-3, I have the mentioned modules loaded and 
> wrote the following rules:
> 
> _fwd="iptables -A FORWARD"
> _nat="iptables -A POSTROUTING"

Same remark as Baltasar about "-t nat" missing in _nat.
Are you sure you understand the FTP protocol ? When reading your 
ruleset, I doubt it.

> $_fwd -i $INT_IF -p tcp -s $INT_NET --sport 1024: -o $INET_IF --dport 21 
> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $_fwd -i $INET_IF -p tcp --sport 21 -o $INT_IF -d $INT_NET --dport 1024: 
> -m state --state     ESTABLISHED,RELATED -j ACCEPT

You'll never see an FTP control packet (TCP 21) in the RELATED state.

> $_nat -p tcp -s $INT_NET --sport 1024: -o $INET_IF --dport 21 -m state 
> --state NEW,ESTABLISHED,RELATED -j SNAT --to $INET_NIC

You don't need to care about conntrack states in the nat table : only 
the first packet of a NEW connection goes through the nat chains.

> Are those rules enough?

No. They only allow FTP control connections, not FTP data connections 
used for file transfer and directory listing.

 From your ruleset, I understand you want to allow FTP between internal 
clients and external servers, and nothing else. All right. Be aware that 
blocking the useful RELATED ICMP may break things, though.

First, FTP is made of a classic TCP control connection from the client 
to the server on port 21. It means the first packet is NEW and all 
others are ESTABLISHED, so :

$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
   --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$_fwd -i $INET_IF -o $INT_IF -d $INT_NET -p tcp --sport 21 \
   --dport 1024: -m state --state ESTABLISHED -j ACCEPT

$_nat -o $INET_IF -s $INT_NET -p tcp --sport 1024: --dport 21 \
   -j SNAT --to $INET_NIC

Second, a TCP active or passive FTP data connection is established 
whenever a file transfer or directory listing is needed. Passive data 
connections are established from the client to the server with random 
unprivileged ports on both sides. Active data connections are 
established from the port 20 of the server to an unprivileged random 
port of the client. When the ip_conntrack_ftp module is loaded, the 
first packet is RELATED (instead of NEW without the module), and all the 
others are ESTABLISHED as usual. So :

# passive mode
$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
   --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$_fwd -i $INET_IF -o $INT_IF -d $INT_NET -p tcp --sport 1024: \
   --dport 1024: -m state --state ESTABLISHED -j ACCEPT

# active mode
$_fwd -i $INET_IF -o $INT_IF -d $INT_NET -p tcp --sport 20 \
   --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
   --dport 20 -m state --state ESTABLISHED -j ACCEPT

No need for any NAT rule, the ip_nat_ftp module will smartly take care 
of everything automatically.

But IMHO this is a bit overkill. Here's what I'd use :

# that's for any ESTABLISHED and RELATED traffic, not only FTP
$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -m state --state \
   ESTABLISHED,RELATED -j ACCEPT
$_fwd -i $INET_IF -o $INT_IF -d $INT_NET -m state --state \
   ESTABLISHED,RELATED -j ACCEPT

# that's for the first packet of a control connection
$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
   --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$_nat -o $INET_IF -s $INT_NET -p tcp --sport 1024: --dport 21 \
   -j SNAT --to $INET_NIC


Notes about ip_conntrack_ftp and ip_nat_ftp :
1) They only work on plain unencrypted FTP. They don't work on FTPS (FTP 
encrypted with TLS/SSL).

2) When using FTP control connections on non standard ports (i.e. other 
than 21), you must specify theses ports (as well as port 21 if used too) 
in the "ports" parameter of both modules when loading them.

Re: common FTP+NAT problem

[Pascal Hambourg]

Pascal Hambourg a écrit :
> 
> # that's for the first packet of a control connection
> $_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
>   --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

Copy/paste error : ESTABLISHED is unnecessary - but won't harm.

Re: common FTP+NAT problem

[Ernesto Silva]

Hi Pascal,
	the "-t nat" was a typo in the email.
I wrote the "RELATED" specification because I thought port 20 and the rest of the connections (in passive and active mode) 
may be handled by ip_conntrack_ftp and ip_nat_ftp in an "automagically" way. Thats why I was asking about the modules 
functionallity.

Anyway, I used your suggestion (which I already knew) and wrote the extra rules for port 20, 1024:, etc.

you wrote:
 > You don't need to care about conntrack states in the nat table : only
 > the first packet of a NEW connection goes through the nat chains.
I didn't know that, thanks.

Many thanks, problem solved.
-- 
Ing. Ernesto Silva.
Coordinador de Desarrollo Web y Sistemas Abiertos
Universidad ORT Uruguay.
E-mail: silva@ort.edu.uy
Tel: (+598-2) 902-1505 ext. 206


Pascal Hambourg wrote:
> Hello,
> 
> Ernesto Silva a écrit :
> 
>>    I'm having a problem to access internet ftp servers from my 
>> internal network. I understand the ftp connection but I don't have 
>> enough information about ip_conntrack_ftp and ip_nat_ftp modules, so 
>> here is my situation.
>>
>> I'm using iptables 1.3.3-3, I have the mentioned modules loaded and 
>> wrote the following rules:
>>
>> _fwd="iptables -A FORWARD"
>> _nat="iptables -A POSTROUTING"
> 
> 
> Same remark as Baltasar about "-t nat" missing in _nat.
> Are you sure you understand the FTP protocol ? When reading your 
> ruleset, I doubt it.
> 
>> $_fwd -i $INT_IF -p tcp -s $INT_NET --sport 1024: -o $INET_IF --dport 
>> 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>> $_fwd -i $INET_IF -p tcp --sport 21 -o $INT_IF -d $INT_NET --dport 
>> 1024: -m state --state     ESTABLISHED,RELATED -j ACCEPT
> 
> 
> You'll never see an FTP control packet (TCP 21) in the RELATED state.
> 
>> $_nat -p tcp -s $INT_NET --sport 1024: -o $INET_IF --dport 21 -m state 
>> --state NEW,ESTABLISHED,RELATED -j SNAT --to $INET_NIC
> 
> 
> You don't need to care about conntrack states in the nat table : only 
> the first packet of a NEW connection goes through the nat chains.
> 
>> Are those rules enough?
> 
> 
> No. They only allow FTP control connections, not FTP data connections 
> used for file transfer and directory listing.
> 
>  From your ruleset, I understand you want to allow FTP between internal 
> clients and external servers, and nothing else. All right. Be aware that 
> blocking the useful RELATED ICMP may break things, though.
> 
> First, FTP is made of a classic TCP control connection from the client 
> to the server on port 21. It means the first packet is NEW and all 
> others are ESTABLISHED, so :
> 
> $_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
>   --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
> $_fwd -i $INET_IF -o $INT_IF -d $INT_NET -p tcp --sport 21 \
>   --dport 1024: -m state --state ESTABLISHED -j ACCEPT
> 
> $_nat -o $INET_IF -s $INT_NET -p tcp --sport 1024: --dport 21 \
>   -j SNAT --to $INET_NIC
> 
> Second, a TCP active or passive FTP data connection is established 
> whenever a file transfer or directory listing is needed. Passive data 
> connections are established from the client to the server with random 
> unprivileged ports on both sides. Active data connections are 
> established from the port 20 of the server to an unprivileged random 
> port of the client. When the ip_conntrack_ftp module is loaded, the 
> first packet is RELATED (instead of NEW without the module), and all the 
> others are ESTABLISHED as usual. So :
> 
> # passive mode
> $_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
>   --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
> $_fwd -i $INET_IF -o $INT_IF -d $INT_NET -p tcp --sport 1024: \
>   --dport 1024: -m state --state ESTABLISHED -j ACCEPT
> 
> # active mode
> $_fwd -i $INET_IF -o $INT_IF -d $INT_NET -p tcp --sport 20 \
>   --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
> $_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
>   --dport 20 -m state --state ESTABLISHED -j ACCEPT
> 
> No need for any NAT rule, the ip_nat_ftp module will smartly take care 
> of everything automatically.
> 
> But IMHO this is a bit overkill. Here's what I'd use :
> 
> # that's for any ESTABLISHED and RELATED traffic, not only FTP
> $_fwd -i $INT_IF -s $INT_NET -o $INET_IF -m state --state \
>   ESTABLISHED,RELATED -j ACCEPT
> $_fwd -i $INET_IF -o $INT_IF -d $INT_NET -m state --state \
>   ESTABLISHED,RELATED -j ACCEPT
> 
> # that's for the first packet of a control connection
> $_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
>   --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
> $_nat -o $INET_IF -s $INT_NET -p tcp --sport 1024: --dport 21 \
>   -j SNAT --to $INET_NIC
> 
> 
> Notes about ip_conntrack_ftp and ip_nat_ftp :
> 1) They only work on plain unencrypted FTP. They don't work on FTPS (FTP 
> encrypted with TLS/SSL).
> 
> 2) When using FTP control connections on non standard ports (i.e. other 
> than 21), you must specify theses ports (as well as port 21 if used too) 
> in the "ports" parameter of both modules when loading them.
> 
> 

Re: common FTP+NAT problem

[Pascal Hambourg]

Ernesto Silva a écrit :
> I wrote the "RELATED" specification because I thought port 20 and the 
> rest of the connections (in passive and active mode) may be handled by 
> ip_conntrack_ftp and ip_nat_ftp in an "automagically" way.

This is what happens, at least partly :
- ip_conntrack_ftp, by monitoring the FTP control connections, 
identifies the first packet of an FTP data connection as RELATED ;
- ip_nat_ftp, with the help of ip_conntrack_ftp, does the necessary NAT 
on FTP data connections.

But you still have the job of writing rules to decide their fate, 
whether they must be accepted or dropped.

> Anyway, I used your suggestion (which I already knew)

Ok, sorry for doubting.