Ftp (pass mode ) and Iptables

Ftp (pass mode ) and Iptables

[ludi]

I have a ftp server and run a script of iptables on the server (not a
nat-gateway).  The follow is the script:

iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD



iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j ACCEPT
iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit
--limit 6/m --limit-burst 6 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP


iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT
iptables -P OUTPUT DROP
Now, my question is that I can not connect the ftp server with pass
mode until I stop the iptables. I had tried the ip_conntrack_ftp.o
module, but it didnt effect.
Could anyone give me some idea?

Re: Ftp (pass mode ) and Iptables

[Boryan Yotov]

ludi wrote:
> I have a ftp server and run a script of iptables on the server (not a
> nat-gateway).  The follow is the script:
> 
> iptables -F OUTPUT
> iptables -F INPUT
> iptables -F FORWARD
> 
> 
> 
> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j ACCEPT
> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j ACCEPT
> iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit
> --limit 6/m --limit-burst 6 -j ACCEPT
> iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -P INPUT DROP
> 
> 
> iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT
> iptables -P OUTPUT DROP
> Now, my question is that I can not connect the ftp server with pass
> mode until I stop the iptables. I had tried the ip_conntrack_ftp.o
> module, but it didnt effect.
> Could anyone give me some idea?

Do you have TLS or SSL encryption over the FTP's server command channel?

Re: Ftp (pass mode ) and Iptables

[Boryan Yotov]

Boryan Yotov wrote:
> ludi wrote:
> 
>> I have a ftp server and run a script of iptables on the server (not a
>> nat-gateway).  The follow is the script:
>>
>> iptables -F OUTPUT
>> iptables -F INPUT
>> iptables -F FORWARD
>>
>>
>>
>> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j 
>> ACCEPT
>> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j 
>> ACCEPT
>> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j 
>> ACCEPT
>> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j 
>> ACCEPT
>> iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit
>> --limit 6/m --limit-burst 6 -j ACCEPT
>> iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -P INPUT DROP
>>
>>
>> iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
>> iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT
>> iptables -P OUTPUT DROP
>> Now, my question is that I can not connect the ftp server with pass
>> mode until I stop the iptables. I had tried the ip_conntrack_ftp.o
>> module, but it didnt effect.
>> Could anyone give me some idea?
> 
> 
> Do you have TLS or SSL encryption over the FTP's server command channel?
> 
> 
> 

Ok, since you are sure there is no TLS or SSL encryption on the command 
channel, then it is probably the firewall setup script, which you use.

I suppose the script above is the complete one and it is ran on the FTP 
server itself. If this is the case, then I see no definition for TCP/UDP 
port 21 (where the FTP server's command channel is listening on). If 
port 21 is closed (and your proftpd is not configured to listen on other 
command port), then you won't be able to connect to the FTP server at all.

Othersides, since you mention that PASV mode is not working, then I 
guess you already have command channel connection open between both 
client and server? Or not?

And, please reply to the list (it makes it easier to track).

RE: Ftp (pass mode ) and Iptables

[Eric Marty]

hello all,

May be, you need accept the port 20 and 21 -j ACCEPT for the standard ftp.

Eric

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Boryan Yotov
Sent: Thursday, January 05, 2006 10:15 AM
To: netfilter@lists.netfilter.org
Subject: Re: Ftp (pass mode ) and Iptables


ludi wrote:
> I have a ftp server and run a script of iptables on the server (not a
> nat-gateway).  The follow is the script:
>
> iptables -F OUTPUT
> iptables -F INPUT
> iptables -F FORWARD
>
>
>
> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j ACCEPT
> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j ACCEPT
> iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit
> --limit 6/m --limit-burst 6 -j ACCEPT
> iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -P INPUT DROP
>
>
> iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT
> iptables -P OUTPUT DROP
> Now, my question is that I can not connect the ftp server with pass
> mode until I stop the iptables. I had tried the ip_conntrack_ftp.o
> module, but it didnt effect.
> Could anyone give me some idea?

Do you have TLS or SSL encryption over the FTP's server command channel?

Re: Ftp (pass mode ) and Iptables

[ludi]

I'm sorry. I lost the rules of ftp I insert when I setup the proftp.
iptables -A INPUT 1 -p tcp  -s 0/0 -d $HOME_ADDR --dport 8888 -j  ACCEPT
;)

I can connect the ftp if I disabled the iptables. Otherwise, it would
timeout when cuteftp made a list.
I enforced to use the PORT command , and it worked well.
I think the command channel established, however, the require was
filtered when the cuteftp make a data connection .So I want to know
whether the iptables can resolve the promblem?

Re: Ftp (pass mode ) and Iptables

[Boryan Yotov]

ludi wrote:
> I'm sorry. I lost the rules of ftp I insert when I setup the proftp.
> iptables -A INPUT 1 -p tcp  -s 0/0 -d $HOME_ADDR --dport 8888 -j  ACCEPT
> ;)
> 
> I can connect the ftp if I disabled the iptables. Otherwise, it would
> timeout when cuteftp made a list.
> I enforced to use the PORT command , and it worked well.
> I think the command channel established, however, the require was
> filtered when the cuteftp make a data connection .So I want to know
> whether the iptables can resolve the promblem?

What has tcp port 8888 to do with FTP? Or you changed the FTP server
settings to bind itself on port 8888? Correct?

The ipt_conntrack_ftp module is listenning for PORT and PASV on the
command channel running on port 21. If you bind your FTP server to
another port then you need to correct the include file of the module
as well:

 From include/linux/netfilter_ipv4/ip_conntrack_ftp.h:
	#define FTP_PORT        21
change to
	#define FTP_PORT	8888

And then recompile the module.

I'm not sure and had no time to look if the module itself accept
parameters. If its true then you don't have to compile anything,
simply find out the ipt_conntrack_ftp insmod options.