Yet another FTP connection problem

Yet another FTP connection problem

[Erik Pagel]

Hi,

there seems to be a problem within my FTP rules. I'm not able to make any 
ftp connection.
I'm able to send but not to recevie any package.
Maybe someone can point me to my mistake.

iptables -N ftp
#No incomming connections, only outgoing and only in PASV mode.
iptables -A ftp -p tcp --dport 20:21 -o $I_EXTERN -j ACCEPT
iptables -A ftp -p tcp --sport 20:21 -i $I_EXTERN -m state --state 
ESTABLISHED,RELATED -j ACCEPT
iptables -A ftp -p tcp --dport 20:21 -i $I_EXTERN -m state --state 
NEW,INVALID -j LOG --log-level warning --log-prefix "DROP:FTP Incomming"
iptables -A ftp -p tcp --dport 20:21 -i $I_EXTERN -m state --state 
NEW,INVALID -j DROP
iptables -A INPUT   -j ftp
iptables -A OUTPUT  -j ftp
iptables -A FORWARD -j ftp

all I get after some tries to establish a connection from my firewall to 
ftp.funet.fi:

iptables -v -L ftp
 pkts bytes target prot opt in     out   source    destination
   20  1200 ACCEPT tcp  --  any    ppp+  anywhere  anywhere  tcp 
dpts:ftp-data:ftp
    0     0 ACCEPT tcp  --  ppp+   any   anywhere  anywhere  tcp 
spts:ftp-data:ftp state RELATED,ESTABLISHED
    0     0 ACCEPT tcp  --  ppp+   any   anywhere  anywhere  tcp 
dpts:ftp-data:ftp state RELATED,ESTABLISHED
    0     0 LOG    tcp  --  ppp+   any   anywhere  anywhere  tcp 
dpts:ftp-data:ftp state INVALID,NEW LOG level warning prefix `DROP:FTP 
Incomming'
    0     0 DROP   tcp  --  ppp+   any   anywhere  anywhere  tcp 
dpts:ftp-data:ftp state INVALID,NEW
--------------------------

Thanks in advance
Erik Pagel

Yet another FTP connection problem

[Erik Pagel]

Hi,

there seems to be a problem within my FTP rules. I'm not able to make any 
ftp connection.
I'm able to send but not to recevie any package.
Maybe someone can point me to my mistake.

iptables -N ftp
#No incomming connections, only outgoing and only in PASV mode.
iptables -A ftp -p tcp --dport 20:21 -o $I_EXTERN -j ACCEPT
iptables -A ftp -p tcp --sport 20:21 -i $I_EXTERN -m state --state 
ESTABLISHED,RELATED -j ACCEPT
iptables -A ftp -p tcp --dport 20:21 -i $I_EXTERN -m state --state 
NEW,INVALID -j LOG --log-level warning --log-prefix "DROP:FTP Incomming"
iptables -A ftp -p tcp --dport 20:21 -i $I_EXTERN -m state --state 
NEW,INVALID -j DROP
iptables -A INPUT   -j ftp
iptables -A OUTPUT  -j ftp
iptables -A FORWARD -j ftp

all I get after some tries to establish a connection from my firewall to 
ftp.funet.fi:

iptables -v -L ftp
 pkts bytes target prot opt in     out   source    destination
   20  1200 ACCEPT tcp  --  any    ppp+  anywhere  anywhere  tcp 
dpts:ftp-data:ftp
    0     0 ACCEPT tcp  --  ppp+   any   anywhere  anywhere  tcp 
spts:ftp-data:ftp state RELATED,ESTABLISHED
    0     0 ACCEPT tcp  --  ppp+   any   anywhere  anywhere  tcp 
dpts:ftp-data:ftp state RELATED,ESTABLISHED
    0     0 LOG    tcp  --  ppp+   any   anywhere  anywhere  tcp 
dpts:ftp-data:ftp state INVALID,NEW LOG level warning prefix `DROP:FTP 
Incomming'
    0     0 DROP   tcp  --  ppp+   any   anywhere  anywhere  tcp 
dpts:ftp-data:ftp state INVALID,NEW
--------------------------

Thanks in advance
Erik Pagel

Re: Yet another FTP connection problem

[Antony Stone]

On Thursday 06 June 2002 4:41 pm, Erik Pagel wrote:

> Hi,
>
> there seems to be a problem within my FTP rules. I'm not able to make any
> ftp connection.
> I'm able to send but not to recevie any package.

Please be more specific.   If you are "unable to make any ftp connection" 
then how are you able to send files ?

You say you can send but not receive - do you mean that the PUT command works 
and the GET command doesn't ?

If that is what you mean, then it's not a netfilter problem.....


Antony.

Re: Yet another FTP connection problem

[Antony Stone]

On Thursday 06 June 2002 4:41 pm, Erik Pagel wrote:

> iptables -N ftp
> iptables -A ftp -p tcp --dport 20:21 -o $I_EXTERN -j ACCEPT
> iptables -A ftp -p tcp --sport 20:21 -i $I_EXTERN -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A ftp -p tcp --dport 20:21 -i $I_EXTERN -m state --state
> NEW,INVALID -j LOG --log-level warning --log-prefix "DROP:FTP Incomming"
> iptables -A ftp -p tcp --dport 20:21 -i $I_EXTERN -m state --state
> NEW,INVALID -j DROP

> iptables -A INPUT   -j ftp
> iptables -A OUTPUT  -j ftp
> iptables -A FORWARD -j ftp

That is a very strange set of rules to try applying to all three of INPUT, 
FORWARD and OUTPUT chains !

Please can you tell us whether you are trying to ftp from this machine with 
the netfilter rules on, or is the netfilter machine acting as a router 
between the ftp client and server ?


Antony.

Re: Yet another FTP connection problem

[Erik Pagel]

Hi again,
sorry not to be specific enough,


>> there seems to be a problem within my FTP rules. I'm not able to make any
>> ftp connection.
>> I'm able to send but not to recevie any package.
>
> Please be more specific.   If you are "unable to make any ftp connection"
> then how are you able to send files ?
No I'm not able to send any files. I'm not even able to make any connection.
All end with a connection timeout. Iptraf shows that the response to my 
first tcp-package (SYN) from the ftp server made it to my external 
interface but didn't get through the rules.
Maybe my internet box didn't recognise it as related connection.
The ip_nat_ftp and ip_contrack_ftp modules are loaded.

> You say you can send but not receive - do you mean that the PUT command
> works  and the GET command doesn't ?
>
> If that is what you mean, then it's not a netfilter problem.....
see above.
>
> Antony.
>
bye Erik

Re: Yet another FTP connection problem

[Erik Pagel]

Hi,

--On Donnerstag, 6. Juni 2002 17:06 +0100 Antony Stone 
<Antony@Soft-Solutions.co.uk> wrote:

> On Thursday 06 June 2002 4:41 pm, Erik Pagel wrote:
>
>> iptables -N ftp
>> iptables -A ftp -p tcp --dport 20:21 -o $I_EXTERN -j ACCEPT
>> iptables -A ftp -p tcp --sport 20:21 -i $I_EXTERN -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>> iptables -A ftp -p tcp --dport 20:21 -i $I_EXTERN -m state --state
>> NEW,INVALID -j LOG --log-level warning --log-prefix "DROP:FTP Incomming"
>> iptables -A ftp -p tcp --dport 20:21 -i $I_EXTERN -m state --state
>> NEW,INVALID -j DROP
>
>> iptables -A INPUT   -j ftp
>> iptables -A OUTPUT  -j ftp
>> iptables -A FORWARD -j ftp
>
> That is a very strange set of rules to try applying to all three of
> INPUT,  FORWARD and OUTPUT chains !
>
> Please can you tell us whether you are trying to ftp from this machine
> with  the netfilter rules on, or is the netfilter machine acting as a
> router  between the ftp client and server ?

Both, I want so send files from this machine and this machine also act as 
router for my internal network.
That the reason why I apply the rules to all three chains.

>
> Antony.
>
bye Erik

Re: Yet another FTP connection problem

[Antony Stone]

On Thursday 06 June 2002 5:30 pm, Erik Pagel wrote:

> > Please can you tell us whether you are trying to ftp from this machine
> > with  the netfilter rules on, or is the netfilter machine acting as a
> > router  between the ftp client and server ?
>
> Both, I want so send files from this machine and this machine also act as
> router for my internal network.
> That the reason why I apply the rules to all three chains.

Okay.   Let's deal with those two requirements one at a time.

First, to use this machine as an ftp client to a machine on the Internet:

# standard policy on all chains
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow ftp control connections outbound
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
# allow replies back from ftp servers
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# if you want to use names your firewall must be able to do DNS lookups
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

With those rules you should be able to contact external ftp servers from the 
firewall and send / receive files.

You need to have loaded as modules, or compiled into your kernel, state 
matching, ftp connection tracking and general connection tracking.

Next, allow this machine to route internal ftp clients to external servers:

iptables -A FORWARD -o $EXT_IF -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $EXT_IF -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -o $EXT_IF -p udp --dport 53 -j ACCEPT

if you need to masquerade internal clients behind your firewall's external 
address (which wasn't in your original ruleset, so maybe you don't need to ?):

iptables -A POSTROUTING -t nat -o $EXT_IF -j SNAT --to $EXT_IP

Let us know how you get on with those.


Antony.

Re: Yet another FTP connection problem

[Tom Eastep]

On Thu, 6 Jun 2002, Antony Stone wrote:

> On Thursday 06 June 2002 5:30 pm, Erik Pagel wrote:
> 
> > > Please can you tell us whether you are trying to ftp from this machine
> > > with  the netfilter rules on, or is the netfilter machine acting as a
> > > router  between the ftp client and server ?
> >
> > Both, I want so send files from this machine and this machine also act as
> > router for my internal network.
> > That the reason why I apply the rules to all three chains.
> 
> Okay.   Let's deal with those two requirements one at a time.
> 
> First, to use this machine as an ftp client to a machine on the Internet:
> 
> # standard policy on all chains
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> # allow ftp control connections outbound
> iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
> # allow replies back from ftp servers
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> # if you want to use names your firewall must be able to do DNS lookups
> iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
>

Some FTP sites use auth which can cause connection timeouts with that 
ruleset. For safety, I recommend adding

iptables -A INPUT -p tcp --dport 113 -j REJECT

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Re: Yet another FTP connection problem

[Antony Stone]

On Thursday 06 June 2002 5:56 pm, Tom Eastep wrote:

> Some FTP sites use auth which can cause connection timeouts with that
> ruleset. For safety, I recommend adding
>
> iptables -A INPUT -p tcp --dport 113 -j REJECT

Yes, good point.

I'm thinking of a way to get IDENT requests classified as RELATED, so you can 
either do this without leaving port 113 visible by the RSTs it sends, or even 
get the IDENTs sent through to the original client for it to deal with....


Antony.

Re: Yet another FTP connection problem

[Tom Eastep]

On Thu, 6 Jun 2002, Antony Stone wrote:

> On Thursday 06 June 2002 5:56 pm, Tom Eastep wrote:
> 
> > Some FTP sites use auth which can cause connection timeouts with that
> > ruleset. For safety, I recommend adding
> >
> > iptables -A INPUT -p tcp --dport 113 -j REJECT
> 
> Yes, good point.
> 
> I'm thinking of a way to get IDENT requests classified as RELATED, so you can 
> either do this without leaving port 113 visible by the RSTs it sends, or even 
> get the IDENTs sent through to the original client for it to deal with....
> 

Nod -- the whole identd/auth thing should just go away as it is based on
assumptions that haven't been true for years. Nevertheless, it seems to
hang on from sheer inertia and there's no current mechanism for dealing
with it in a stealthy way.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Re: Yet another FTP connection problem

[Erik Pagel]

Hi Antony,

sorry I must apologise again, but I didn't send all my rules, just the ftp 
part.
Of course my standard policy is deny, also I manage my own DNS Server.
NAT is also installed and working. The only part not working are the ftp 
ruleset.


># allow ftp control connections outbound
> iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
Why only port 21 and not also port 20 (DATA Channel).

># allow replies back from ftp servers
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Ok, but I want to restrict the portrange to source port 20 and 21.
Anyway my last ruleset has a line like this but I want to get ride of it.

[...] I delete some line just to make the reply short.

> iptables -A POSTROUTING -t nat -o $EXT_IF -j SNAT --to $EXT_IP

I use this rule
iptables -t nat -A POSTROUTING -o $I_EXTERN -j MASQUERADE

> Let us know how you get on with those.
sorry, not until now.
>
> Antony.
>
bye Erik

Re: Yet another FTP connection problem

[Erik Pagel]

Hi Tom,

> Some FTP sites use auth which can cause connection timeouts with that
> ruleset. For safety, I recommend adding
>
> iptables -A INPUT -p tcp --dport 113 -j REJECT

Possible but I traced the connection with tcpdump and didn't see any 
connection to port 113.


>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
>

Re: Yet another FTP connection problem

[Tom Eastep]

On Thu, 6 Jun 2002, Erik Pagel wrote:

> Hi Tom,
> 
> > Some FTP sites use auth which can cause connection timeouts with that
> > ruleset. For safety, I recommend adding
> >
> > iptables -A INPUT -p tcp --dport 113 -j REJECT
> 
> Possible but I traced the connection with tcpdump and didn't see any 
> connection to port 113.
> 

My point was that if you use FTP long enough, you will see such connection 
requests from certain servers. Best to have the rule in place ahead of 
time than to wonder why you can't connect to ftp.anachronisms.com.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Re: Yet another FTP connection problem

[Antony Stone]

On Thursday 06 June 2002 6:47 pm, Erik Pagel wrote:

> Hi Antony,
>
> sorry I must apologise again, but I didn't send all my rules, just the ftp
> part.

It's always good to post your complete ruleset, just in case you've got 
something in a rule you don't think is important, which is causing all the 
troubles...

> Of course my standard policy is deny,

Good :-)

> also I manage my own DNS Server.

Okay - you still need to makesure your firewall can talk to it, and I guess 
you already have the rules to allow port 53 through the firewall for external 
lookups.

> NAT is also installed and working.

Okay.   I saw you didn't have it and wasn't sure if that was because you 
didn't need it (internal clients on routable addresses) or because you 
already had it working, or because you'd forgotten it (we get all sorts of 
questions on this mailing list).

> The only part not working are the ftp
> ruleset.
>
> ># allow ftp control connections outbound
> > iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
>
> Why only port 21 and not also port 20 (DATA Channel).

Because the first outbound connection from the client to the server will 
always be a control connection, and then replies for both control and data 
will be handled as in the ESTABLISHED,RELATED state match.

> ># allow replies back from ftp servers
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Ok, but I want to restrict the portrange to source port 20 and 21.

Why ?   Where else are you going to get ESTABLISHED or RELATED packets from 
except in reply to something you've decided to allow out in the first place ?

> Anyway my last ruleset has a line like this but I want to get ride of it.

Maybe you should post the complete ruleset and see if someone can see why ftp 
wouldn't work if everything else does.

> > iptables -A POSTROUTING -t nat -o $EXT_IF -j SNAT --to $EXT_IP
>
> I use this rule
> iptables -t nat -A POSTROUTING -o $I_EXTERN -j MASQUERADE

If you have a dynamic address on your external interface, your rule is 
correct.   It will still work even if you have a static address, but is 
considered slightly less efficient for netfilter than specifiying SNAT and 
the address.   Either way, I don't think you'll notice a difference.

> > Let us know how you get on with those.
>
> sorry, not until now.

So did you try them ?   Do they work ?


Antony.