* IPtables settings to access a backup FTP @ 2007-08-18 19:08 Richard 2007-08-18 20:16 ` Martijn Lievaart 0 siblings, 1 reply; 5+ messages in thread From: Richard @ 2007-08-18 19:08 UTC (permalink / raw) To: netfilter Hello, this is my first message so I hope I'm doing this right ! :) I've got iptables setup and running well on my server and up to now I've not had any problems, however I have just installed a backup system which needs to connect by FTP to a distant server. With my firewall disactivated all works fine, however with the firewall activated when I use the "ls" command of the debian ftp command line package (CWD) I get: 200 ok then a long wait then : 421 Service not available, remote server has closed connection. I've tried this on two different FTP's and it only works if the firewall is disactivated. One server is a plesk server but the server I need to connect to I do not know much about, with filezilla on my pc I've managed to connect to it with both FTP active and FTP passive so I guess it can do both. On my server I just do : ftp ftp.server.com username password So I'm not sure if it connects as passive or active. These are the ports that I have got open : -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT Which ports do you suggest I should open to connect to this FTP server ? Thanks in advance, Richard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IPtables settings to access a backup FTP 2007-08-18 19:08 IPtables settings to access a backup FTP Richard @ 2007-08-18 20:16 ` Martijn Lievaart 2007-08-18 20:25 ` Richard 0 siblings, 1 reply; 5+ messages in thread From: Martijn Lievaart @ 2007-08-18 20:16 UTC (permalink / raw) To: Richard; +Cc: netfilter Richard wrote: > Hello, this is my first message so I hope I'm doing this right ! :) > > I've got iptables setup and running well on my server and up to now > I've not had any problems, however I have just installed a backup > system which needs to connect by FTP to a distant server. > > With my firewall disactivated all works fine, however with the > firewall activated when I use the "ls" command of the debian ftp > command line package (CWD) I get: > > 200 ok then a long wait then : > 421 Service not available, remote server has closed connection. > > I've tried this on two different FTP's and it only works if the > firewall is disactivated. > > One server is a plesk server but the server I need to connect to I do > not know much about, with filezilla on my pc I've managed to connect > to it with both FTP active and FTP passive so I guess it can do both. > > On my server I just do : > > ftp ftp.server.com > username > password > > So I'm not sure if it connects as passive or active. > > These are the ports that I have got open : > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT You don't need this (see below), but it is wrong anyhow. Active ftp uses SOURCE port 20, not destination port 20. Most guides on the inuhnet thingie get this wrong. > -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT Do you also want to accept FTP connections? You don't need this to make outgoing connections. > > -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT This is nonsense. > -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT This is the only rule you need to make outgoing FTP connections. > > Which ports do you suggest I should open to connect to this FTP server ? > It's not only about static ports. FTP uses dynamic ports as well that must be tracked by a helper. Modprobe nf_contrack_ftp (ip_contrack_ftp on older kernels) and all should be well. HTH, M4 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IPtables settings to access a backup FTP 2007-08-18 20:16 ` Martijn Lievaart @ 2007-08-18 20:25 ` Richard 2007-08-18 20:29 ` Martijn Lievaart 0 siblings, 1 reply; 5+ messages in thread From: Richard @ 2007-08-18 20:25 UTC (permalink / raw) To: Martijn Lievaart, netfilter Hi I've got ip_conntrack running, My server hosts FTP accounts and I also need outgoing ftp ... No problems accessing the ftp hosted on this server, but can't do a CWD (ls) from this server to another external ftp server unless the firewall is disactivated. I guess you are going to say most of my settings are useless but here goes my current settings : ------------------------- Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ftp LOG_ACCEPT tcp -- anywhere anywhere tcp dpt:2022 LOG_ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:whois ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:ntp ACCEPT tcp -- anywhere anywhere tcp dpt:8443 ACCEPT tcp -- anywhere anywhere tcp dpt:8880 ACCEPT tcp -- anywhere anywhere tcp dpt:42630 ACCEPT udp -- anywhere anywhere udp dpt:42630 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ACCEPT all -- localhost.localdomain anywhere icmp_packets icmp -- anywhere anywhere LOG_DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp flags:S YN,RST,ACK/SYN Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:2022 ACCEPT tcp -- anywhere anywhere tcp dpt:telnet ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:whois ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ACCEPT all -- anywhere localhost.localdomain icmp_packets icmp -- anywhere anywhere LOG_DROP all -- anywhere anywhere Chain LOG_ACCEPT (2 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning t cp-options ip-options prefix `[IPTABLES ACCEPT] : ' ACCEPT all -- anywhere anywhere Chain LOG_DROP (2 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning t cp-options ip-options prefix `[IPTABLES DROP] : ' DROP all -- anywhere anywhere Chain icmp_packets (2 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere limit: avg 1/sec bu rst 1 LOG icmp -- anywhere anywhere limit: avg 1/sec bu rst 1 LOG level warning prefix `PING-DROP: ' -------------- Thanks for any suggestions ! Richard Martijn Lievaart a écrit : > Richard wrote: >> Hello, this is my first message so I hope I'm doing this right ! :) >> >> I've got iptables setup and running well on my server and up to now >> I've not had any problems, however I have just installed a backup >> system which needs to connect by FTP to a distant server. >> >> With my firewall disactivated all works fine, however with the >> firewall activated when I use the "ls" command of the debian ftp >> command line package (CWD) I get: >> >> 200 ok then a long wait then : >> 421 Service not available, remote server has closed connection. >> >> I've tried this on two different FTP's and it only works if the >> firewall is disactivated. >> >> One server is a plesk server but the server I need to connect to I do >> not know much about, with filezilla on my pc I've managed to connect >> to it with both FTP active and FTP passive so I guess it can do both. >> >> On my server I just do : >> >> ftp ftp.server.com >> username >> password >> >> So I'm not sure if it connects as passive or active. >> >> These are the ports that I have got open : >> >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT > > You don't need this (see below), but it is wrong anyhow. Active ftp uses > SOURCE port 20, not destination port 20. Most guides on the inuhnet > thingie get this wrong. > >> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT > > Do you also want to accept FTP connections? You don't need this to make > outgoing connections. > >> >> -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT > > This is nonsense. > >> -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT > > This is the only rule you need to make outgoing FTP connections. > >> >> Which ports do you suggest I should open to connect to this FTP server ? >> > > It's not only about static ports. FTP uses dynamic ports as well that > must be tracked by a helper. Modprobe nf_contrack_ftp (ip_contrack_ftp > on older kernels) and all should be well. > > HTH, > M4 > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IPtables settings to access a backup FTP 2007-08-18 20:25 ` Richard @ 2007-08-18 20:29 ` Martijn Lievaart 2007-08-18 22:36 ` Richard 0 siblings, 1 reply; 5+ messages in thread From: Martijn Lievaart @ 2007-08-18 20:29 UTC (permalink / raw) To: Richard; +Cc: netfilter Richard wrote: [ Please don't toppost. Thanks ] > Hi I've got ip_conntrack running, I was talking about ip_conntrack_ftp, not ip_conntrack. You need both. The difference is between ftp working and not working at the first LS command. > > My server hosts FTP accounts and I also need outgoing ftp ... Clear, so you need the input rule on port 21 as well. > > No problems accessing the ftp hosted on this server, but can't do a > CWD (ls) from this server to another external ftp server unless the > firewall is disactivated. No problems? Impossible with the rules you posted. > > I guess you are going to say most of my settings are useless but here > goes my current settings : Thanks, but that is virtually unreadable. Post the output of iptables-save instead. HTH, M4 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IPtables settings to access a backup FTP 2007-08-18 20:29 ` Martijn Lievaart @ 2007-08-18 22:36 ` Richard 0 siblings, 0 replies; 5+ messages in thread From: Richard @ 2007-08-18 22:36 UTC (permalink / raw) To: netfilter Martijn Lievaart a écrit : > Richard wrote: > > [ Please don't toppost. Thanks ] > >> Hi I've got ip_conntrack running, > > I was talking about ip_conntrack_ftp, not ip_conntrack. You need both. > The difference is between ftp working and not working at the first LS > command. > >> >> My server hosts FTP accounts and I also need outgoing ftp ... > > Clear, so you need the input rule on port 21 as well. > >> >> No problems accessing the ftp hosted on this server, but can't do a >> CWD (ls) from this server to another external ftp server unless the >> firewall is disactivated. > > No problems? Impossible with the rules you posted. > >> >> I guess you are going to say most of my settings are useless but here >> goes my current settings : > > Thanks, but that is virtually unreadable. Post the output of > iptables-save instead. > > HTH, > M4 > Thankyou ! That fixed my problem ! I did a lsmod and it was not there so I did a mprobe ip_conntrack_ftp and then added ip_conntrack_ftp to /etc/modules Now my backup system works well ! Now for my iptable settings, here is my file : ------ #The NAT portion of the ruleset. Used for Network Address Transalation. #Usually not needed on a typical web server, but it's there if you need it. *nat :PREROUTING ACCEPT [127173:7033011] :POSTROUTING ACCEPT [31583:2332178] :OUTPUT ACCEPT [32021:2375633] COMMIT #The Mangle portion of the ruleset. Here is where unwanted packet types get dropped. #This helps in making port scans against your server a bit more time consuming and difficult, but not impossible. *mangle :PREROUTING ACCEPT [444:43563] :INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [402:144198] :POSTROUTING ACCEPT [402:144198] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT #The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports. #We will also enable logging of all dropped requests. *filter :INPUT DROP [1:242] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :LOG_DROP - [0:0] :LOG_ACCEPT - [0:0] :icmp_packets - [0:0] #test -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 21 -j ACCEPT #First, we cover the INPUT rules, or the rules for incoming requests. #Note how at the end we log any incoming packets that are not accepted. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2022 -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 43 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 123 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT #Passive FTP connections -A INPUT -p tcp -m tcp --dport 32876 -j ACCEPT -A INPUT -p udp -m udp --dport 32876 -j ACCEPT #uncomment the next line if you are running Spamassassin on your server #-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -p icmp -j icmp_packets -A INPUT -j LOG_DROP #Next, we cover the OUTPUT rules, or the rules for all outgoing traffic. #Note how at the end we log any outbound packets that are not accepted. -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 2022 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT #uncomment the next line if you are running Spamassassin on your server #-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A OUTPUT -d 127.0.0.1 -j ACCEPT -A OUTPUT -p icmp -j icmp_packets -A OUTPUT -j LOG_DROP #Here we have 2 sets of logging rules. One for dropped packets to log all dropped requests and one for accepted packets, should we wish to log any accepted requesets. -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options -A LOG_DROP -j DROP -A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options -A LOG_ACCEPT -j ACCEPT #And finally, a rule to deal with ICMP requests. We drop all ping requests except from our own server. # Make sure you replace 1.2.3.4 with the IP address of your server. #-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT #-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT #-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT #-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT -A icmp_packets -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT -A icmp_packets -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "PING-DROP: " COMMIT ----- So as far as I understand, I must remove the two following lines : -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT Thanks again ! Richard ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-08-18 22:36 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-08-18 19:08 IPtables settings to access a backup FTP Richard 2007-08-18 20:16 ` Martijn Lievaart 2007-08-18 20:25 ` Richard 2007-08-18 20:29 ` Martijn Lievaart 2007-08-18 22:36 ` Richard
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox