RE: RE: ftp issue cont.

RE: RE: ftp issue cont.

[Derick Anderson]

This sounds more like a problem with your Windows FTP server than
iptables. Having never worked with Win2k's FTP server I'm not sure what
to suggest. I'd try it with FileZilla (it's free, and works) and see if
you have the same problems, particularly since you said (in an email to
me) you can connect to other FTP sites just fine.

Derick 

-----Original Message-----
From: varun_saa@vsnl.net [mailto:varun_saa@vsnl.net] 
Sent: Monday, August 15, 2005 2:15 AM
To: Derick Anderson
Cc: netfilter@lists.netfilter.org
Subject: Re: RE: ftp issue cont.

Thanks a lot Derick, 
                  I learnt a few details. 
 
" -A FORWARD -p tcp -d your.ftp.ip.address --dport 1024: -j ACCEPT " 
 
Did not seem to work. 
 
I have a few more details for you. 
 
WAN -----> eth0 - FC4 server - eth1 -----------> clients ( 192.168.0.0/
24 )
FC4 server is only for sharing internet , mails, etc for clients system.

I do not run any ftp server on ny FC4 server. 
 
My ftp server is on windows 2000 advanced server run by our friend in
US. 
 
From my FC4 server I am able to connect to " ftp.sriaurobindoashram.com
" 
with " passive files transfer " - unchecked in gftp. 
Using " passive files transfer " - checked in gftp it connects and stops
at recieving files names. 
 
So I guess Win2k server does not support passive mode. And we need to
concentrate on non-passive mode. 
 
Now on the client systems with " passive files transfer " - unchecked in
gftp. 
I get the following error : 
 
Looking up ftp.sriaurobindoashram.com
Trying www.sriaurobindoashram.com:21
Connected to ftp.sriaurobindoashram.com:21 220 ns1 Microsoft FTP Service
(Version 5.0). 
USER xxxxxxxx 
 
331 Password required for xxxxxxxx. 
PASS xxxx
230 User xxxxxxxx logged in. 
SYST 
 
215 Windows_NT version 5.0
TYPE I 
 
200 Type set to I. 
PWD 
 
257 "/xxxxxxxxx" is current directory. 
Loading directory listing /xxxxxxxx from server (LC_TIME=en_US) PORT
192,168,0,253,4,3 
 
500 Invalid PORT Command. 
Invalid response '5' received from server. 
Disconnecting from site ftp.sriaurobindoashram.com 
 
So what that suggest ? 
 
Varun 
  
----- Original Message -----
From: Derick Anderson <danderson@vikus.com>
Date: Friday, August 12, 2005 11:14 pm
Subject: RE: ftp issue cont. 
 
> FTP passive mode creates an entirely new connection for data transfer.

> It is not 'related' to the original connection and so iptables doesn't

> pick it up as such (nor do any other stateful firewalls that I'm aware

> of). The connection works something like this:
>  
> 1. Client connects to FTP server on port 21 and requests PASV mode. 
> 2. Server replies with the port that client should use (e.g., 50100). 
> 3. Client makes NEW connection on the passive port (50100). 
> 4. Server transfers information using the new connection. 
>  
> This is why (I think...) stateful firewalls don't pick up passive
> connections: they are initiated by the client, not the server. 
>  
> You know you have to open port 21 and 20 (for non-passive connections)

> inbound to your FTP server. I didn't see that in your rules either but

> since you can log in to the server, etc. I can only assume it works. 
> You will have to check your FTP server's documentation on which ports 
> it uses in PASV (passive) mode. These ports are always above 1023 
> (1024:).I will give you an example:
>  
> Suppose your FTP server uses ports 50100 to 50200 for passive 
> connections. You will need to add an iptables rule such as
>  
> $IPT -A FORWARD -p tcp -d your.ftp.ip.address --dport 50100:50200 -j 
> ACCEPT
>  
> into your firewall ruleset, assuming your FTP server is not on the 
> firewall and you've taken care of DNATing. If you want to be lazy you 
> can always do this:
>  
> $IPT -A FORWARD -p tcp -d your.ftp.ip.address --dport 1024: -j ACCEPT
>  
> The above rule should work right away, provided the rest of your 
> firewall is in order. For anything else I suggest reviewing the HOW- 
> TOson www.netfilter.org. A google search will probably provide you 
> with the specific ports for your FTP server, and any server worth the 
> download will let you change what those ports are.
>  
> Hope that helps. 
>  
> Derick
>  
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [netfilter-bounces@lists.netfilter.org] On Behalf Of 
> varun_saa@vsnl.net
> Sent: Friday, August 12, 2005 12:52 PM
> To: netfilter@lists.netfilter.org
> Subject: ftp issue cont. 
>  
> Make sure you've opened up whichever unprivileged passive ports your 
> FTP server uses. Passive FTP connections are seen as new by stateful 
> firewalls, not related to the original control connection.
>  
> Derick Anderson   
>  
> Thanks Derick,  
>              But I am not very clear about ftp.  
> So I will appreciate details.  
>  
> Thanks
>  
> Varun
>  
>  
>  
>  

Re: ftp issue cont.

[Jörg Harmuth]

> I get the following error : 

[SNIP]


> 257 "/xxxxxxxxx" is current directory. 
> Loading directory listing /xxxxxxxx from server (LC_TIME=en_US) PORT
> 192,168,0,253,4,3 
>  
> 500 Invalid PORT Command. 
> Invalid response '5' received from server. 
> Disconnecting from site ftp.sriaurobindoashram.com 

You say, that this FTP server is located in US ? And you want to connect
to this server via internet ? And this is what you get ? If so, you will
never get something from this server (with this configuration). Watch this:

192,168,0,253,4,3

This means something like "Hey guy, connect to my address of
192.168.0.253 on port 4*256+3". This is a RFC1918 address which is
dropped at the first router on the internet. Ask your friend to do some
SNAT or configure the FTP server correctly (I'm not familiar with MS
server stuff) and try again.

Have a nice time,

Joerg

Re: ftp issue cont.

[varun_saa]

Thanks a lot Jorg, 
                 It was rather simple. 
I will try shortly and see my client-side works. 
 
While reading there were a few more details : 
 
modprobe iptable_nat 
modprobe ip_nat_ftp 
 
In what situation would you enable those two. 
 
Varun 
 
----- Original Message ----- 
From: Jörg Harmuth <harmuth@mnemon.de> 
Date: Tuesday, August 16, 2005 1:26 pm 
Subject: Re: ftp issue cont. 
 
> varun_saa@vsnl.net schrieb: 
>  
> >Thanks Jorg,  
> >           I get the following for lsmod :  
> >  
> >[root@squidserver ~]# lsmod | grep conntrack  
> >ip_conntrack           41497  3  
> ipt_state,ipt_MASQUERADE,iptable_nat  
> >  
> >So how do I add :  
> >   
> >           ip_conntrack_ftp          
> >           ipt_conntrack      
> >  
> >And yes it is :  
> >               -A FORWARD -j DROP  
> >  
> >   
> > 
> modprobe ip_conntrack_ftp 
>  
> If you get an error message, you probably have to reconfigure the 
> kernel. May I suggest reading some basic Linux tutorial ? You can find 
> tuts e.g. on http://debian.org and most likely on the home page of  
> yourdistribution. 
>  
> Have a nice time and happy reading, 
>  
> Joerg 
>  
>  
>  
>

Re: ftp issue cont.

[varun_saa]

Thanks Jorg, 
           I get the following for lsmod : 
 
[root@squidserver ~]# lsmod | grep conntrack 
ip_conntrack           41497  3 ipt_state,ipt_MASQUERADE,iptable_nat 
 
So how do I add : 
  
           ip_conntrack_ftp         
           ipt_conntrack     
 
And yes it is : 
               -A FORWARD -j DROP 
 
Thanks again 
 
Varun 
            
 
 
 
 
----- Original Message ----- 
From: Jörg Harmuth <harmuth@mnemon.de> 
Date: Monday, August 15, 2005 4:29 pm 
Subject: Re: ftp issue cont. 
 
> varun_saa@vsnl.net schrieb: 
> > Thanks Jorg,   
> >             How to find out if ftp-module is loaded or   
> > not.   
>  
> e.g. 
>  
> lsmod | grep conntrack 
>  
> gives on my box: 
>  
> ip_conntrack_ftp        3680   0  (unused) 
> ipt_conntrack           1120   0  (autoclean) 
> ip_conntrack           26484   1  (autoclean) [ip_conntrack_ftp ... 
>  
> >    
> > Thanks   
> >    
> > Varun   
> >    
> > ----- Original Message -----   
> > From: Jörg Harmuth <harmuth@mnemon.de>   
> > Date: Monday, August 15, 2005 2:43 pm   
> > Subject: Re: ftp issue cont.   
> >    
> >  
> >>Derick Anderson schrieb:   
> >> 
> >>>FTP passive mode creates an entirely new connection for data    
> >> 
> >>transfer.> It is not 'related' to the original connection and so   
>  
> >>iptables doesn't   
> >> 
> >>>pick it up as such (nor do any other stateful firewalls that I'm  
>   
> >> 
> >>aware> of).    
> >>   
> >>No, not really. Iptables regards FTP data traffic as related  
> stuff. To   
> >>be more exactly, the respective helper module does so   
> >>(ip_conntrack_ftp.[k]o). So, normally all you have to do, is load  
> this   
> >>module, allow ESTABLISHED,RELATED traffic in and out and allow  
> FTP in.   
> >>This looks something like this (assumed that policies are DROP  
> and   
> >>OUTPUT is ACCEPT and also assumed that the box is directly    
> >>connected to   
> >>the internet and that the FTP server is on the firewall box):   
> >>   
> >>modprobe ip_conntrack_ftp.[k]o   
> >>   
> >>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT   
> >>iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT   
> >>   
> >>This will work for active and passive FTP. If the ftp-module  
> isn't on   
> >>the system in question, varun_saa has to configure the kernel    
> >>correctlyand recompile as needed.   
> >>   
> >>BTW, the original ruleset didn't explain anything. IN|OUTPUT ==  
> ACCEPT   
> >>and in FORWARD no rule concerning FTP. So, what is this guy doing  
> ? If   
> >>the FTP server is on the firewall box, there is no iptables  
> problem at   
> >>all (on this box). If not, there are no rules that permit FTP and  
> thus   
> >>it cannot work. The whole thing looks quite mysterious to me,    
> >>includingthe -P issue Rob mentioned. May be a tiny ASCII art    
> >>network picture   
> >>would clarify the situation :)   
> >>   
> >>Have a nice time,   
> >>   
> >>Joerg   
> >>   
> >>   
> >>   
> >>   
> >  
> >  
> >  
> > !DSPAM:430073677568926616419! 
>  
>

Re: ftp issue cont.

[Jörg Harmuth]

varun_saa@vsnl.net schrieb:

>Thanks Jorg, 
>           I get the following for lsmod : 
> 
>[root@squidserver ~]# lsmod | grep conntrack 
>ip_conntrack           41497  3 ipt_state,ipt_MASQUERADE,iptable_nat 
> 
>So how do I add : 
>  
>           ip_conntrack_ftp         
>           ipt_conntrack     
> 
>And yes it is : 
>               -A FORWARD -j DROP 
> 
>  
>
modprobe ip_conntrack_ftp

If you get an error message, you probably have to reconfigure the
kernel. May I suggest reading some basic Linux tutorial ? You can find
tuts e.g. on http://debian.org and most likely on the home page of your
distribution.

Have a nice time and happy reading,

Joerg

Re: ftp issue cont.

[R. DuFresne]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 3713 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



A good place to start might be man lsmod

Thanks,

Ron DuFresne

On Tue, 16 Aug 2005 varun_saa@vsnl.net wrote:

> Thanks Jorg,
>           I get the following for lsmod :
>
> [root@squidserver ~]# lsmod | grep conntrack
> ip_conntrack           41497  3 ipt_state,ipt_MASQUERADE,iptable_nat
>
> So how do I add :
>
>           ip_conntrack_ftp
>           ipt_conntrack
>
> And yes it is :
>               -A FORWARD -j DROP
>
> Thanks again
>
> Varun
>
>
>
>
>
> ----- Original Message -----
> From: Jörg Harmuth <harmuth@mnemon.de>
> Date: Monday, August 15, 2005 4:29 pm
> Subject: Re: ftp issue cont.
>
>> varun_saa@vsnl.net schrieb:
>>> Thanks Jorg,
>>>             How to find out if ftp-module is loaded or
>>> not.
>>
>> e.g.
>>
>> lsmod | grep conntrack
>>
>> gives on my box:
>>
>> ip_conntrack_ftp        3680   0  (unused)
>> ipt_conntrack           1120   0  (autoclean)
>> ip_conntrack           26484   1  (autoclean) [ip_conntrack_ftp ...
>>
>>>
>>> Thanks
>>>
>>> Varun
>>>
>>> ----- Original Message -----
>>> From: Jörg Harmuth <harmuth@mnemon.de>
>>> Date: Monday, August 15, 2005 2:43 pm
>>> Subject: Re: ftp issue cont.
>>>
>>>
>>>> Derick Anderson schrieb:
>>>>
>>>>> FTP passive mode creates an entirely new connection for data
>>>>
>>>> transfer.> It is not 'related' to the original connection and so
>>
>>>> iptables doesn't
>>>>
>>>>> pick it up as such (nor do any other stateful firewalls that I'm
>>
>>>>
>>>> aware> of).
>>>>
>>>> No, not really. Iptables regards FTP data traffic as related
>> stuff. To
>>>> be more exactly, the respective helper module does so
>>>> (ip_conntrack_ftp.[k]o). So, normally all you have to do, is load
>> this
>>>> module, allow ESTABLISHED,RELATED traffic in and out and allow
>> FTP in.
>>>> This looks something like this (assumed that policies are DROP
>> and
>>>> OUTPUT is ACCEPT and also assumed that the box is directly
>>>> connected to
>>>> the internet and that the FTP server is on the firewall box):
>>>>
>>>> modprobe ip_conntrack_ftp.[k]o
>>>>
>>>> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>> iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT
>>>>
>>>> This will work for active and passive FTP. If the ftp-module
>> isn't on
>>>> the system in question, varun_saa has to configure the kernel
>>>> correctlyand recompile as needed.
>>>>
>>>> BTW, the original ruleset didn't explain anything. IN|OUTPUT ==
>> ACCEPT
>>>> and in FORWARD no rule concerning FTP. So, what is this guy doing
>> ? If
>>>> the FTP server is on the firewall box, there is no iptables
>> problem at
>>>> all (on this box). If not, there are no rules that permit FTP and
>> thus
>>>> it cannot work. The whole thing looks quite mysterious to me,
>>>> includingthe -P issue Rob mentioned. May be a tiny ASCII art
>>>> network picture
>>>> would clarify the situation :)
>>>>
>>>> Have a nice time,
>>>>
>>>> Joerg
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> !DSPAM:430073677568926616419!
>>
>>
>
>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDAmNYst+vzJSwZikRAokXAJ47aeytIFGoZOoWdxPPTbkz3U587QCgwpN5
GS3EPRxQi7Jf/t+dC/1UhDk=
=GPSL
-----END PGP SIGNATURE-----

RE: ftp issue cont.

[Derick Anderson]

It must be our firewall then: I didn't build it myself and I don't know if conntrack_ftp is loaded in the kernel or not - guess I could always modprobe eh? We have a 24/7 production shop so I'm editing it live until I get around to building another firewall myself. I always thought that passive FTP ports had to be opened specifically because the only indication of a new connection is in the data of the packet itself.

Thanks for the clarification,

Derick 

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jörg Harmuth
Sent: Monday, August 15, 2005 5:13 AM
To: netfilter@lists.netfilter.org
Subject: Re: ftp issue cont.

Derick Anderson schrieb:
> FTP passive mode creates an entirely new connection for data transfer.
> It is not 'related' to the original connection and so iptables doesn't 
> pick it up as such (nor do any other stateful firewalls that I'm aware 
> of).

No, not really. Iptables regards FTP data traffic as related stuff. To be more exactly, the respective helper module does so (ip_conntrack_ftp.[k]o). So, normally all you have to do, is load this module, allow ESTABLISHED,RELATED traffic in and out and allow FTP in.
This looks something like this (assumed that policies are DROP and OUTPUT is ACCEPT and also assumed that the box is directly connected to the internet and that the FTP server is on the firewall box):

modprobe ip_conntrack_ftp.[k]o

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT

This will work for active and passive FTP. If the ftp-module isn't on the system in question, varun_saa has to configure the kernel correctly and recompile as needed.

BTW, the original ruleset didn't explain anything. IN|OUTPUT == ACCEPT and in FORWARD no rule concerning FTP. So, what is this guy doing ? If the FTP server is on the firewall box, there is no iptables problem at all (on this box). If not, there are no rules that permit FTP and thus it cannot work. The whole thing looks quite mysterious to me, including the -P issue Rob mentioned. May be a tiny ASCII art network picture would clarify the situation :)

Have a nice time,

Joerg

Re: ftp issue cont.

[varun_saa]

Thanks Jorg,  
            How to find out if ftp-module is loaded or  
not.  
 
  
Thanks  
  
Varun  
  
----- Original Message -----  
From: Jörg Harmuth <harmuth@mnemon.de>  
Date: Monday, August 15, 2005 2:43 pm  
Subject: Re: ftp issue cont.  
  
> Derick Anderson schrieb:  
> > FTP passive mode creates an entirely new connection for data   
> transfer.> It is not 'related' to the original connection and so   
> iptables doesn't  
> > pick it up as such (nor do any other stateful firewalls that I'm   
> aware> of).   
>   
> No, not really. Iptables regards FTP data traffic as related stuff. To  
> be more exactly, the respective helper module does so  
> (ip_conntrack_ftp.[k]o). So, normally all you have to do, is load this  
> module, allow ESTABLISHED,RELATED traffic in and out and allow FTP in.  
> This looks something like this (assumed that policies are DROP and  
> OUTPUT is ACCEPT and also assumed that the box is directly   
> connected to  
> the internet and that the FTP server is on the firewall box):  
>   
> modprobe ip_conntrack_ftp.[k]o  
>   
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
> iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT  
>   
> This will work for active and passive FTP. If the ftp-module isn't on  
> the system in question, varun_saa has to configure the kernel   
> correctlyand recompile as needed.  
>   
> BTW, the original ruleset didn't explain anything. IN|OUTPUT == ACCEPT  
> and in FORWARD no rule concerning FTP. So, what is this guy doing ? If  
> the FTP server is on the firewall box, there is no iptables problem at  
> all (on this box). If not, there are no rules that permit FTP and thus  
> it cannot work. The whole thing looks quite mysterious to me,   
> includingthe -P issue Rob mentioned. May be a tiny ASCII art   
> network picture  
> would clarify the situation :)  
>   
> Have a nice time,  
>   
> Joerg  
>   
>   
>   
>

RE: ftp issue cont.

[Derick Anderson]

FTP passive mode creates an entirely new connection for data transfer.
It is not 'related' to the original connection and so iptables doesn't
pick it up as such (nor do any other stateful firewalls that I'm aware
of). The connection works something like this:

1. Client connects to FTP server on port 21 and requests PASV mode.
2. Server replies with the port that client should use (e.g., 50100).
3. Client makes NEW connection on the passive port (50100).
4. Server transfers information using the new connection.

This is why (I think...) stateful firewalls don't pick up passive
connections: they are initiated by the client, not the server.

You know you have to open port 21 and 20 (for non-passive connections)
inbound to your FTP server. I didn't see that in your rules either but
since you can log in to the server, etc. I can only assume it works. You
will have to check your FTP server's documentation on which ports it
uses in PASV (passive) mode. These ports are always above 1023 (1024:).
I will give you an example:

Suppose your FTP server uses ports 50100 to 50200 for passive
connections. You will need to add an iptables rule such as

$IPT -A FORWARD -p tcp -d your.ftp.ip.address --dport 50100:50200 -j
ACCEPT

into your firewall ruleset, assuming your FTP server is not on the
firewall and you've taken care of DNATing. If you want to be lazy you
can always do this:

$IPT -A FORWARD -p tcp -d your.ftp.ip.address --dport 1024: -j ACCEPT

The above rule should work right away, provided the rest of your
firewall is in order. For anything else I suggest reviewing the HOW-TOs
on www.netfilter.org. A google search will probably provide you with the
specific ports for your FTP server, and any server worth the download
will let you change what those ports are.

Hope that helps.

Derick

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
varun_saa@vsnl.net
Sent: Friday, August 12, 2005 12:52 PM
To: netfilter@lists.netfilter.org
Subject: ftp issue cont.

Make sure you've opened up whichever unprivileged passive ports your FTP
server uses. Passive FTP connections are seen as new by stateful
firewalls, not related to the original control connection. 
 
Derick Anderson  
 
Thanks Derick, 
              But I am not very clear about ftp. 
So I will appreciate details. 
 
Thanks 
 
Varun 

Re: ftp issue cont.

[Jörg Harmuth]

Derick Anderson schrieb:
> FTP passive mode creates an entirely new connection for data transfer.
> It is not 'related' to the original connection and so iptables doesn't
> pick it up as such (nor do any other stateful firewalls that I'm aware
> of). 

No, not really. Iptables regards FTP data traffic as related stuff. To
be more exactly, the respective helper module does so
(ip_conntrack_ftp.[k]o). So, normally all you have to do, is load this
module, allow ESTABLISHED,RELATED traffic in and out and allow FTP in.
This looks something like this (assumed that policies are DROP and
OUTPUT is ACCEPT and also assumed that the box is directly connected to
the internet and that the FTP server is on the firewall box):

modprobe ip_conntrack_ftp.[k]o

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT

This will work for active and passive FTP. If the ftp-module isn't on
the system in question, varun_saa has to configure the kernel correctly
and recompile as needed.

BTW, the original ruleset didn't explain anything. IN|OUTPUT == ACCEPT
and in FORWARD no rule concerning FTP. So, what is this guy doing ? If
the FTP server is on the firewall box, there is no iptables problem at
all (on this box). If not, there are no rules that permit FTP and thus
it cannot work. The whole thing looks quite mysterious to me, including
the -P issue Rob mentioned. May be a tiny ASCII art network picture
would clarify the situation :)

Have a nice time,

Joerg

ftp issue cont.

[varun_saa]

Make sure you've opened up whichever unprivileged passive ports your FTP 
server uses. Passive FTP connections are seen as new by stateful 
firewalls, not related to the original control connection. 
 
Derick Anderson  
 
Thanks Derick, 
              But I am not very clear about ftp. 
So I will appreciate details. 
 
Thanks 
 
Varun