FTP port mode, client and server behind iptables

FTP port mode, client and server behind iptables

[Gary Smith]

As per the subject, I have a proftp server running behind iptables.  I'm NAT'ing in the entire IP to the ftp server.  

I have the following rules in place on the server (where eth0 is internal, eth1 is external):
*nat
-A PREROUTING -d x.x.x.x -p tcp -m tcp -j DNAT --to-destination 10.20.0.12
*filter
-A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp --dport 1025:65535 -j ACCEPT 
-A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp -m multiport --dports 80,443,21,20,22 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FW-F: " 
-A FORWARD -i eth1 -j REJECT --reject-with icmp-port-unreachable
ip_conntrack_ftp and ip_nat_ftp are loaded

On the client side (where eth0 is internal, eth1 is external), 
-A FORWARD -I eth0 -j ACCEPT 
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "FW-F: " 
-A FORWARD -i eth1 -j REJECT --reject-with icmp-port-unreachable
ip_conntrack_ftp and ip_nat_ftp are loaded

I'm not seeing any hits in the log file (which logs on each chain before reject).

Anyway, what am I missing for PORT mode for FTP.  The windows command line users seem to be the only ones affected by this (as pretty much everything else allows passive).

Any ideas?

Re: FTP port mode, client and server behind iptables

[Mart Frauenlob]

Gary Smith wrote:
> As per the subject, I have a proftp server running behind iptables.  I'm NAT'ing in the entire IP to the ftp server.  
>
> I have the following rules in place on the server (where eth0 is internal, eth1 is external):
> *nat
> -A PREROUTING -d x.x.x.x -p tcp -m tcp -j DNAT --to-destination 10.20.0.12
> *filter
> -A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp --dport 1025:65535 -j ACCEPT 
>   

> -A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp -m multiport --dports 80,443,21,20,22 -j ACCEPT
> -A FORWARD -j LOG --log-prefix "FW-F: " 
> -A FORWARD -i eth1 -j REJECT --reject-with icmp-port-unreachable
> ip_conntrack_ftp and ip_nat_ftp are loaded
>
> On the client side (where eth0 is internal, eth1 is external), 
> -A FORWARD -I eth0 -j ACCEPT 
> -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A FORWARD -j LOG --log-prefix "FW-F: " 
> -A FORWARD -i eth1 -j REJECT --reject-with icmp-port-unreachable
> ip_conntrack_ftp and ip_nat_ftp are loaded
>
> I'm not seeing any hits in the log file (which logs on each chain before reject).
>
> Anyway, what am I missing for PORT mode for FTP.  The windows command line users seem to be the only ones affected by this (as pretty much everything else allows passive).
>
>   

Port mode does not exist, there are passive and active mode in FTP, both 
use ports, but different ones....

> Any ideas?
>   

Umm, quite some... my proposal:

# allow all established and related (most expected hits -> rule placed first)
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# allow ftp: only for host or globally
-A FORWARD -i eth0 -d 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
-A FORWARD -i eth1 -s 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
--or more global: -A FORWARD -m helper --helper "ftp" -j ACCEPT


# allow connection openings (last rule as not more than a few packets per connection are state NEW)
-A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp -m multiport --dports 80,443,21,22 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth1 -j REJECT....... 

regards

Mart

Re: FTP port mode, client and server behind iptables

[Mart Frauenlob]

Mart Frauenlob wrote:
> Gary Smith wrote:
>> As per the subject, I have a proftp server running behind iptables.  
>> I'm NAT'ing in the entire IP to the ftp server. 
>> I have the following rules in place on the server (where eth0 is 
>> internal, eth1 is external):
>> *nat
>> -A PREROUTING -d x.x.x.x -p tcp -m tcp -j DNAT --to-destination 
>> 10.20.0.12
>> *filter
>> -A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp --dport 1025:65535 -j 
>> ACCEPT   
>
>> -A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp -m multiport --dports 
>> 80,443,21,20,22 -j ACCEPT
>> -A FORWARD -j LOG --log-prefix "FW-F: " -A FORWARD -i eth1 -j REJECT 
>> --reject-with icmp-port-unreachable
>> ip_conntrack_ftp and ip_nat_ftp are loaded
>>
>> On the client side (where eth0 is internal, eth1 is external), -A 
>> FORWARD -I eth0 -j ACCEPT -A FORWARD -m conntrack --ctstate 
>> ESTABLISHED -j ACCEPT
>> -A FORWARD -j LOG --log-prefix "FW-F: " -A FORWARD -i eth1 -j REJECT 
>> --reject-with icmp-port-unreachable
>> ip_conntrack_ftp and ip_nat_ftp are loaded
>>
>> I'm not seeing any hits in the log file (which logs on each chain 
>> before reject).
>>
>> Anyway, what am I missing for PORT mode for FTP.  The windows command 
>> line users seem to be the only ones affected by this (as pretty much 
>> everything else allows passive).
>>
>>   
>
> Port mode does not exist, there are passive and active mode in FTP, 
> both use ports, but different ones....
>
>> Any ideas?
>>   
>
> Umm, quite some... my proposal:
>
> # allow all established and related (most expected hits -> rule placed 
> first)
> -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
>
> # allow ftp: only for host or globally
> -A FORWARD -i eth0 -d 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
> -A FORWARD -i eth1 -s 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
> --or more global: -A FORWARD -m helper --helper "ftp" -j ACCEPT
>
sorry, i mixed up internal and external interface.
-A FORWARD -i eth1 -d 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
-A FORWARD -i eth0 -s 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
>
> # allow connection openings (last rule as not more than a few packets 
> per connection are state NEW)
> -A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp -m multiport --dports 
> 80,443,21,22 -m conntrack --ctstate NEW -j ACCEPT
> -A FORWARD -i eth1 -j REJECT.......

RE: FTP port mode, client and server behind iptables

[Gary Smith]

> 
> Port mode does not exist, there are passive and active mode in FTP, both
> use ports, but different ones....

I guess, years ago I had head it referred to as Port or Passive.  Anyway, non-passive (or active is what I'm looking for.

Either way, I was able to verify that clients that are not behind a firewall are able to connect fine with either mode.  It appears to be a client side issue.

Even with the change that you provided, the client still had the same issue.  Anyway, I verified that the client firewall has the FTP nat/conntrack modules loaded but that didn't seem to help.  No packets on the firewall are being dropped (as we log everything before drop).  I'm going to look into a few more possible NAT issues on the client side to see if there are any other problems.

<lines added to top of forward chain>
-A FORWARD -i eth1 -d 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
-A FORWARD -i eth0 -s 10.20.0.12 -m helper --helper "ftp" -j ACCEPT

If M$ just added a passive mode to their FTP client this would probably resolve a lot of small client complaints (with those incapable of downloading a real FTP client).