FTP Problem

FTP Problem

[Vincent Elderkamp]

Hi,

I'm a new user for netfilter en doesn't have experience with it...

I have written a simple firewall script in the past it works perfect,
but know the FTP section doesn't work at all....

Maybe can somebody help me.

Here is my code :

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s any/0 -d any/0 --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 -s any/0 --sport 21 -d any/0 ! --syn
-j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s any/0 -d any/0 --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 -s any/0 --sport 20 -d any/0 ! --syn
-j ACCEPT


I have found some code on the internet but that doesn't work at all :

## FTP
# Allow ftp outbound.
iptables -A INPUT  -i eth0 -p tcp --sport 21 -m state --state
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT
# Now for the connection tracking part of ftp. This is discussed more
completely in my section
# on connection tracking to be found here.
# 1) Active ftp.
# This involves a connection INbound from port 20 on the remote machine,
to a local port
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp
module recognizes
# the connection as RELATED to the original outgoing connection to port
21 so we don't
# need NEW as a state match.
iptables -A INPUT  -i eth0 -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 20 -m state --state
ESTABLISHED -j ACCEPT
# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local
machine, to a port >1023
# on the remote machine previously passed over the ftp channel via a
PORT command. The
# ip_conntrack_ftp module recognizes the connection as RELATED to the
original outgoing
# connection to port 21 so we don't need NEW as a state match.
iptables -A INPUT  -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 \
  -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1024:65535 --dport 1024:65535 \
  -m state --state ESTABLISHED,RELATED -j ACCEPT


Hope someone can help me,

Thank you very much

Vincent

RE: FTP Problem

[Rob Sterenborg]

> Hi,
> 
> I'm a new user for netfilter en doesn't have experience with it...
> 
> I have written a simple firewall script in the past it works perfect,
> but know the FTP section doesn't work at all....
> 
> Maybe can somebody help me.
> 
> Here is my code :
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -s any/0 -d any/0 --dport 21 -j
> ACCEPT iptables -A OUTPUT -p tcp -o eth0 -s any/0 --sport 21 -d any/0
> ! --syn -j ACCEPT iptables -A INPUT -p tcp -i eth0 -s any/0 -d any/0
> --dport 20 -j ACCEPT iptables -A OUTPUT -p tcp -o eth0 -s any/0
> --sport 20 -d any/0 ! --syn -j ACCEPT 

Did you "modprobe ip_conntrack_ftp" and "modprobe ip_nat_ftp" ?


Grts,
Rob

Re: FTP Problem

[Vincent Elderkamp]

Rob Sterenborg schreef:
>> Hi,
>>
>> I'm a new user for netfilter en doesn't have experience with it...
>>
>> I have written a simple firewall script in the past it works perfect,
>> but know the FTP section doesn't work at all....
>>
>> Maybe can somebody help me.
>>
>> Here is my code :
>>
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -p tcp -i eth0 -s any/0 -d any/0 --dport 21 -j
>> ACCEPT iptables -A OUTPUT -p tcp -o eth0 -s any/0 --sport 21 -d any/0
>> ! --syn -j ACCEPT iptables -A INPUT -p tcp -i eth0 -s any/0 -d any/0
>> --dport 20 -j ACCEPT iptables -A OUTPUT -p tcp -o eth0 -s any/0
>> --sport 20 -d any/0 ! --syn -j ACCEPT 
> 
> Did you "modprobe ip_conntrack_ftp" and "modprobe ip_nat_ftp" ?
> 
> 
> Grts,
> Rob
> 
> 
> 
> 
> 

My machine is a Cobalt Raq 4

AMD K6 III 450 mHz

I think I have all the nessesary modules loaded...



--------------------------------------
Module                  Size  Used by
ipt_TOS                 6272  34
ipt_LOG                10496  17
iptable_nat            11652  0
xt_state                6272  4
xt_tcpudp               7168  185
xt_limit                6784  25
ip_nat_ftp              7424  0
ip_nat                 21420  2 iptable_nat,ip_nat_ftp
iptable_mangle          6912  1
iptable_filter          7168  1
ip_conntrack_ftp       11280  1 ip_nat_ftp
ip_conntrack           50356  5
iptable_nat,xt_state,ip_nat_ftp,ip_nat,ip_conntrack_ftp
ip_tables              18628  3 iptable_nat,iptable_mangle,iptable_filter
x_tables               19204  7
ipt_TOS,ipt_LOG,iptable_nat,xt_state,xt_tcpudp,xt_limit,ip_tables
ipv6                  251552  23
--------------------------------------

FTP problem....

[Tom Troonbeeckx]

Hi friends,

recently I installed the ftp-server proftpd-1.2.8.  Before I started the
daemon I stopped the previous FTP-server wu-ftpd.

Currently I have no FTP-daemon started, however.  When i telnet to mine
server(Redhat 7.1) I still got a fingerprint from the wu-ftpd.

Initial I thought there must be running still a wu-daemon.
I listed all processes and grepped for an ftp string (ps -waux | grep ftp).
Still nothing to see.
After that I utilised lsof(lsof-4.67) and grabbed for any ftp matches.
Still empty results.

In a nutshell, in the procestable is no entry which indicates there is an
ftp-daemon is running, on the otherhand telnetting shows me a differten
result.

Any ideas how this is possible or how I can stop the 'hidden' daemon for
listening on port 21.

Thanks in advance...

 Ideaxis nv
-facing the internet-

Flanders Multimedia Valley
Wetenschapspark 1
B-3590 DIEPENBEEK

Tel : +32 11 26 89 20
Fax : +32 11 23 22 17
Mobile: +32 479 13 14 81

E-Mail: tom.troonbeeckx@ideaxis.com
URL: http://www.ideaxis.com/

Ideaxis nv legal disclaimer
The information contained in this e-mail is confidential and may be
privileged. It may be read, copied and used only by the intended recipient.
If you have received it in error, please contact the sender immediately by
returning this e-mail. Please delete this e-mail and do not disclose its
contents to any person. Ideaxis nv does not accept liability for any
errors, omissions, delays of receipt or viruses in the contents of this
message which arise as a result of e-mail transmission.

Re: FTP problem....

[Jamie Harris]

Are you sure its not inetd that is responding to the request?  Have a look
at /etc/inetd.conf or your equivilent.

cheers

Jamie...

> Hi friends,
>
> recently I installed the ftp-server proftpd-1.2.8.  Before I started the
> daemon I stopped the previous FTP-server wu-ftpd.
>
> Currently I have no FTP-daemon started, however.  When i telnet to mine
> server(Redhat 7.1) I still got a fingerprint from the wu-ftpd.
>
> Initial I thought there must be running still a wu-daemon.
> I listed all processes and grepped for an ftp string (ps -waux | grep
> ftp). Still nothing to see.
> After that I utilised lsof(lsof-4.67) and grabbed for any ftp matches.
> Still empty results.
>
> In a nutshell, in the procestable is no entry which indicates there is
> an ftp-daemon is running, on the otherhand telnetting shows me a
> differten result.
>
> Any ideas how this is possible or how I can stop the 'hidden' daemon for
> listening on port 21.
>
> Thanks in advance...
>
>  Ideaxis nv
> -facing the internet-
>
> Flanders Multimedia Valley
> Wetenschapspark 1
> B-3590 DIEPENBEEK
>
> Tel : +32 11 26 89 20
> Fax : +32 11 23 22 17
> Mobile: +32 479 13 14 81
>
> E-Mail: tom.troonbeeckx@ideaxis.com
> URL: http://www.ideaxis.com/
>
> Ideaxis nv legal disclaimer
> The information contained in this e-mail is confidential and may be
> privileged. It may be read, copied and used only by the intended
> recipient. If you have received it in error, please contact the sender
> immediately by returning this e-mail. Please delete this e-mail and do
> not disclose its contents to any person. Ideaxis nv does not accept
> liability for any errors, omissions, delays of receipt or viruses in the
> contents of this message which arise as a result of e-mail transmission.
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin"
> in the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
**  This message was transmitted on 100% recycled electrons **

RE: FTP problem....

[Tom Troonbeeckx]

Yep,  you are correct the wu-ftpd was still configured in /etc/xinetd.conf.

After I removed this entry and restarted xinetd, port 21 was released.

Thanks for the advice.


-----Original Message-----
From: Jamie Harris [mailto:jamie@jharris.homeip.net]
Sent: woensdag 2 april 2003 16:44
To: tom.troonbeeckx@ideaxis.com
Cc: linux-admin@vger.kernel.org
Subject: Re: FTP problem....


Are you sure its not inetd that is responding to the request?  Have a look
at /etc/inetd.conf or your equivilent.

cheers

Jamie...

> Hi friends,
>
> recently I installed the ftp-server proftpd-1.2.8.  Before I started the
> daemon I stopped the previous FTP-server wu-ftpd.
>
> Currently I have no FTP-daemon started, however.  When i telnet to mine
> server(Redhat 7.1) I still got a fingerprint from the wu-ftpd.
>
> Initial I thought there must be running still a wu-daemon.
> I listed all processes and grepped for an ftp string (ps -waux | grep
> ftp). Still nothing to see.
> After that I utilised lsof(lsof-4.67) and grabbed for any ftp matches.
> Still empty results.
>
> In a nutshell, in the procestable is no entry which indicates there is
> an ftp-daemon is running, on the otherhand telnetting shows me a
> differten result.
>
> Any ideas how this is possible or how I can stop the 'hidden' daemon for
> listening on port 21.
>
> Thanks in advance...
>
>  Ideaxis nv
> -facing the internet-
>
> Flanders Multimedia Valley
> Wetenschapspark 1
> B-3590 DIEPENBEEK
>
> Tel : +32 11 26 89 20
> Fax : +32 11 23 22 17
> Mobile: +32 479 13 14 81
>
> E-Mail: tom.troonbeeckx@ideaxis.com
> URL: http://www.ideaxis.com/
>
> Ideaxis nv legal disclaimer
> The information contained in this e-mail is confidential and may be
> privileged. It may be read, copied and used only by the intended
> recipient. If you have received it in error, please contact the sender
> immediately by returning this e-mail. Please delete this e-mail and do
> not disclose its contents to any person. Ideaxis nv does not accept
> liability for any errors, omissions, delays of receipt or viruses in the
> contents of this message which arise as a result of e-mail transmission.
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin"
> in the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


--
**  This message was transmitted on 100% recycled electrons **

Re: FTP problem....

[César Soler]

On Wed, Apr 02, 2003 at 03:44:25PM +0100, Jamie Harris wrote:
> Are you sure its not inetd that is responding to the request?  Have a look
> at /etc/inetd.conf or your equivilent.
> 
> cheers
> 
> Jamie...
> 
> > Hi friends,
> >
> > recently I installed the ftp-server proftpd-1.2.8.  Before I started the
> > daemon I stopped the previous FTP-server wu-ftpd.
> >
> > Currently I have no FTP-daemon started, however.  When i telnet to mine
> > server(Redhat 7.1) I still got a fingerprint from the wu-ftpd.

I think that in the RH7.1 by default these services deal with xinetd, so
you must look in /etc/xinetd.d directory (if you haven't changed....)

Regards,
-- 
César Soler <csoler@euskalnet.net>		PGP KeyID: 0x179DAD53

Colo-cao! El alimento de la juventu....
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html