FTP: can connect but cannot transfer data
This may be quite basic for some of you. I'm using my own firewall script on a Suse 8.2P box. See below. Clients can connect and login but when a command like LS or GET is given, nothing happens. It seems data transfer is not possible. It doesn't make a difference whether passive mode is used or not. When I add a line to the script like this: IPTABLES -A INPUT -p tcp -s A.B.C.D -j ACCEPT then client with IP =A.B.C.D can transfer data. Of course this is not what I want because it is a potential risk. Any help will be appreciated. Regards, Jeroen Taalman Anywise This is the script I use: #!/bin/sh iptables -F # iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # # set defaults (policies) # iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # # use connection state to bypass rule checking iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # # allow these ports iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT # SSH iptables -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT # FTP iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT # FTP iptables -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT # SMTP iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT # HTTP iptables -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT # HTTPS iptables -A INPUT -p tcp -s 0/0 --dport 1984 -j ACCEPT # BB c2s iptables -A INPUT -p tcp -s 0/0 --dport 3306 -j ACCEPT # MySQL iptables -A INPUT -p tcp -s 0/0 --dport 3310 -j ACCEPT # MySQL iptables -A INPUT -p tcp -s 0/0 --dport 5222 -j ACCEPT # Jabber c2s iptables -A INPUT -p tcp -s 0/0 --dport 5269 -j ACCEPT # Jabber s2s iptables -A INPUT -p tcp -s 0/0 --dport 10000 -j ACCEPT # Webmin # # syn flood protection iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT # # furtive port scanner iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # # ping of death iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
This may be quite basic for some of you. (Note: I am not an expert with this but I'll try to help.) I'm using my own firewall script on a Suse 8.2P box. See below. Why not use SuSE8.2 firewall? (I had to ask) Clients can connect and login but when a command like LS or GET is given, nothing happens. It seems data transfer is not possible. It doesn't make a difference whether passive mode is used or not.
I won't go as far as to analyze your firewall script. I guess what you need is to have the connection tracking module for ftp included in the modules and then (probably) adjust your rules so that they can follow (ftp) connections. I think the ftp_conntrack(?) module is able to follow how the ftp data connections are opened. Besides, ftp just might need the ftp-data/udp channel too, did you take care of that? I would go with SuSEfirewall - it is pretty damn good, once you learn it. In any case putting logging rules will help you find out what gets closed, i.e. what happens during the ftp data connect initialization and why/in which rule it does not get through. regards, timo
Hi !
This may be quite basic for some of you. I'm using my own firewall script on a Suse 8.2P box. See below. Clients can connect and login but when a command like LS or GET is given, nothing happens. It seems data transfer is not possible. It doesn't make a difference whether passive mode is used or not.
--> Maybe http://slacksite.com/other/ftp.html helps to understand the FTP protocol. When using passive ftp, you have to allow connections to all high-ports on the server. For active FTP, it's port 20 and 21 on the server but many ports on the client. Neither solution is really nice. Have you thought about using scp/sftp (there are nice clients for Linux and Windows) which is much easier for firewalling (you only need port 22). HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
--> Maybe http://slacksite.com/other/ftp.html helps to understand the FTP protocol. When using passive ftp, you have to allow connections to all high-ports on the server. For active FTP, it's port 20 and 21 on the server but many ports on the client. Neither solution is really nice.
Yes I know. Most clients are behind firewalls, so both active and passive FTP doesn't work with the current settings.
Have you thought about using scp/sftp (there are nice clients for Linux and Windows) which is much easier for firewalling (you only need port 22).
Bingo! Never thought of that. Will try that immediately and report my finding here. Thanks (also Timo) for your help. Jeroen
participants (3)
-
Armin Schoech -
Jeroen Taalman -
timo