From: Alexandros Papadopoulos <apapadop@cmu.edu>
To: netfilter@lists.netfilter.org
Subject: non-standard FTP ports and connection tracking
Date: Mon, 9 Dec 2002 16:46:22 -0500 [thread overview]
Message-ID: <200212091646.22615.apapadop@cmu.edu> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi. I have a small problem with ftp_conntrack module (I guess).
Scenario:
======
I run iptables 1.2.6a and an ftp server (publicfile) on a machine
directly connected to the Internet. Connection tracking works fine when
the ftp server listens on the standard port (21), but seems to break
when I set the ftp server to listen to a non-standard high port (say,
2121).
I set both incoming and outgoing default action to DROP, load the
connection tracking modules in my firewall script:
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
and try to allow traffic for my ftp server only.
What happens:
=========
If the ftp server uses port 21 (standard setup), it works fine:
[] ftpd listening on port 21
[] client connects -> connection from high port to my 21 is established
[] client requests directory listing -> connection from my high port to
another high port of the client is established
Rules: (all defaults are DROP)
=================
## Allow connections to our ftp server
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
## Allow data for incoming FTP to return back to sender
/sbin/iptables -A OUTPUT -p tcp --sport 21 --dport 1024: -m state
- --state ESTABLISHED,RELATED -j ACCEPT
## Allow outgoing FTP (data) + HTTP replies
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state
- --state ESTABLISHED,RELATED -j ACCEPT
The problem:
========
But, when I set the server to listen to port 2121...:
[] ftpd listens on 2121
[] client connects -> connection from high port to my 2121 established
[] client requests directory listing -> netfilter drops packets for the
new (but related) connection that tries to be established, and user
never sees the directory listing. Last packets that gets through is the
one that carries the "150 Making transfer connection..." message.
The rules in this case have only the port number changed, but here they
are in case I'm doing something wrong:
## Allow connections to our ftp server
/sbin/iptables -A INPUT -p tcp --dport 2121 -j ACCEPT
## Allow outgoing FTP (data) + HTTP replies!
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state
- --state ESTABLISHED,RELATED -j ACCEPT
## Allow data for incoming FTP to return back to sender
/sbin/iptables -A OUTPUT -p tcp --sport 2121 --dport 1024: -m state
- --state ESTABLISHED,RELATED -j ACCEPT
Any ideas?
- -A
- --
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F D78C 8260 0CC1 0B75 8265
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE99Q8ugmAMwQt1gmURApAKAJwJtYh0HFT9A5IX2xI8hVICwydt8QCeNLti
lE569iwhEPzYdRw4zHnsWAQ=
=TM8O
-----END PGP SIGNATURE-----
next reply other threads:[~2002-12-09 21:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-09 21:46 Alexandros Papadopoulos [this message]
-- strict thread matches above, loose matches on Subject: below --
2002-12-09 22:01 non-standard FTP ports and connection tracking Kim Leandersson
2002-12-09 23:05 ` Alexandros Papadopoulos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200212091646.22615.apapadop@cmu.edu \
--to=apapadop@cmu.edu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox