PASV rules opening up my high-ports - Whoops - sent the first one in HTML

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "jherschel" <jherschel@quarry.com>
To: netfilter@lists.netfilter.org
Subject: PASV rules opening up my high-ports - Whoops - sent the first one in HTML
Date: Mon, 26 May 2003 16:00:50 -0400	[thread overview]
Message-ID: <FKEKLDLBAFLHIMEKAJJAIECJCAAA.jherschel@quarry.com> (raw)

Howdy,

Thanks in advance for reading this, if this is a common issue, I apologize –
but could you point me to a searchable archive so I don’t bug this list with
previously asked questions?

Anyways – here goes …

I’ve got rules for FTP inbound/outbound for both PORT and PASV connections.
I’m also running MySQL, which defaults to port 3306.

If FTP PASV rules are enabled, either as a server or client, it seems all my
high ports are open to be connected to.  I’ve tried enforcing state, but I
end up either breaking the rule so that FTP doesn’t work, or I end up
opening the high-ports again.

Is there a way to fix this by developing a better rule? Or should I limit my
PASV ports to a range that does not overlap with other services?

Here are the related rules … (the PASV rules are commented out)

#
# General rules
#
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

#################################################################
# Kernel configuration section and cleansing of the filter, nat,#
# and mangle tables                                             #
#################################################################
echo -n $"clearing old rules from tables:"

$IPTABLES -F && \
$IPTABLES -t filter -F INPUT && \
$IPTABLES -t filter -F FORWARD && \
# commands to zero chain counters - needed on restart
$IPTABLES -X
$IPTABLES -t filter -Z && \

success $"clearing old rules from tables" || \
failure $"clearing old rules from tables"
echo

# set all filtering to DROP as default
echo -n $"setting default rules to DROP: "

# used to be IPTABLES -t filter -P ...

$IPTABLES -P INPUT DROP && \
$IPTABLES -P FORWARD DROP && \
$IPTABLES -P OUTPUT DROP  && \

success $"setting default rules to DROP" || \
failure $"setting default rules to DROP"
echo

#
# FTP RULES
#

if [[ $FTP_client == 1 ]] ; then
        echo -n $"adding FTP client rules: "

        # Outgoing Request

        $IPTABLES -A INPUT -i $IFACE -p tcp \
                        -s any/0 --sport 21 \
                        -d $LOCAL_IP --dport 1024: \
                        -m state --state ESTABLISHED \
                        -j ACCEPT &&\
        $IPTABLES -A OUTPUT -o $IFACE -p tcp \
                        -s $LOCAL_IP --sport 1024: \
                        -d any/0 --dport 21 \
                        -m state --state NEW,ESTABLISHED \
                        -j ACCEPT &&\

        # PORT FTP Connections

        $IPTABLES -A INPUT -i $IFACE -p tcp \
                        -s any/0 --sport 20 \
                        -d $LOCAL_IP --dport 1024: \
                        -m state --state ESTABLISHED,RELATED \
                        -j ACCEPT &&\
        $IPTABLES -A OUTPUT -o $IFACE -p tcp \
                        -s $LOCAL_IP --sport 1024: \
                        -d any/0 --dport 20 \
                        -m state --state ESTABLISHED \
                        -j ACCEPT &&\

        # PASV FTP Connections

#       $IPTABLES -A INPUT -i $IFACE -p tcp \
#                       -s any/0 --sport 1024: \
#                       -d $LOCAL_IP --dport 1024: \
#                       -m state --state ESTABLISHED \
#                       -j ACCEPT &&\
#       $IPTABLES -A OUTPUT -o $IFACE -p tcp \
#                       -s $LOCAL_IP --sport 1024: \
#                       -d any/0 --dport 1024: \
#                       -m state --state ESTABLISHED,RELATED \
#                      -j ACCEPT &&\

        success $"adding FTP client rules" || \
        failure $"adding FTP client rules"
        echo
fi

Thanks again,

James

next             reply	other threads:[~2003-05-26 20:00 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-05-26 20:00 jherschel [this message]
2003-05-26 21:33 ` accept local processes Volker Augustin
2003-05-27 15:32   ` Ray Leach
2003-05-26 22:52 ` PASV rules opening up my high-ports - Whoops - sent the first one in HTML Michael K
  -- strict thread matches above, loose matches on Subject: below --
2003-05-26 21:54 George Vieira

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=FKEKLDLBAFLHIMEKAJJAIECJCAAA.jherschel@quarry.com \
    --to=jherschel@quarry.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox