![](https://seccdn.libravatar.org/avatar/829ea5a0b3b73166131e581274c06478.jpg?s=120&d=mm&r=g)
Hello,
Sorry, my English is not so good!
I have write my Firewall with Iptables.I can connect an FTP Server but not
make a ls or dir.
linux:~ # ftp ftp.suse.com
Connected to ftp.suse.com (217.9.113.66).
220 "Welcome to the SuSE ftp server: Please login as user 'ftp'"
Name (ftp.suse.com:root): ftp
331 Please send your email address as a password.
Password:
230-+----------------------------------------------------------------+
230-| Welcome to the SuSE Linux FTP archives in Nürnberg Germany |
230-+----------------------------------------------------------------+
230-+------------------------------+ +------------------------------+
230-| SuSE Inc. | | SuSE GmbH |
230-| 318 Harrison St. | | Deutschherrnstr. 15-19 |
230-| Oakland, CA 94607 | | 90429 Nuernberg |
230-| USA | | Germany |
230-+------------------------------+ +------------------------------+
230-| Tel: +1-510-628-3380 | | Tel: +49-911-740530 |
230-| FAX: +1-510-628-3381 | | FAX: +49-911-7417755 |
230-+------------------------------+ +------------------------------+
230-| http://www.suse.com/ | | http://www.suse.de/ |
230-+------------------------------+ +------------------------------+
230-Please make sure to read pub/INDEX before sending mail to
230-ftpadmin@suse.com
230-
230-User limit: 600 - consider using a mirror-site:
230-http://www.suse.de/en/support/download/ftp/int_mirrors.html (Int.)
230-http://www.suse.de/en/support/download/ftp/germ_mirrors.html (DE)
230-
230-Users from Europe (in particular German universities):
230-ftp://ftp.gwdg.de/pub/linux/suse/
230-ftp://ftp.leo.org/pub/comp/os/unix/linux/suse/suse/
230-ftp://ftp.uni-kl.de/pub/linux/suse/
230-
230-If you are experiencing any problems with this server, please email
230-ftpadmin@suse.com.
230-
230 Login successful. Have a lot of fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
--------------------------------------------------
--------------------------------------------------
-----snip------
#My Firewall config for FTP
# FTP OUT Control-Connection
iptables -A OUTPUT -p TCP --sport $p_high --dport ftp -j ACCEPT
iptables -A INPUT -p TCP --dport $p_high --sport ftp ! --syn -j
ACCEPT
# FTP OUT Passive Data-Connection
iptables -A OUTPUT -p TCP --sport $p_high --dport $p_high -j ACCEPT
iptables -A INPUT -p TCP --dport $p_high --sport $p_high ! --syn -j
ACCEPT
# MASQUERADING
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INT -o $EXT -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j
ACCEPT
iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport
$p_high --dport ftp -j ACCEPT
iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport
$p_high --dport $p_high -j ACCEPT
-----snap-----
----------------------------------------------------------------------
----------------------------------------------------------------------
tcpdump -i ippp0
19:59:13.290242 217.4.250.8.filenet-tms > 213.95.15.193.domain: 2909 A?
ftp.suse.com. (30) (DF)
19:59:13.345807 213.95.15.193.domain > 217.4.250.8.filenet-tms: 2909* 1/2/2
A 217.9.113.66 (132) [tos 0x10]
19:59:13.347190 217.4.250.8.35608 > 217.9.113.66.ftp: S
926670463:926670463(0) win 5840
![](https://seccdn.libravatar.org/avatar/6aff4347491414cea1347666056c8283.jpg?s=120&d=mm&r=g)
my English is not good too... :)
look. The FTP server, need a PASSIVE connection. This is done by a FTP-DATA
port(port 20). Try to free this port in IPTables too, and everything works
fine(I hope so)!
the other option is to work in FTP with passive mode disable.
good luck
Wagner Sartori Junior
----- Original Message -----
From: "Roland Türk"
Hello,
Sorry, my English is not so good! I have write my Firewall with Iptables.I can connect an FTP Server but not make a ls or dir.
linux:~ # ftp ftp.suse.com Connected to ftp.suse.com (217.9.113.66). 220 "Welcome to the SuSE ftp server: Please login as user 'ftp'" Name (ftp.suse.com:root): ftp 331 Please send your email address as a password. Password: 230-+----------------------------------------------------------------+ 230-| Welcome to the SuSE Linux FTP archives in Nürnberg Germany | 230-+----------------------------------------------------------------+ 230-+------------------------------+ +------------------------------+ 230-| SuSE Inc. | | SuSE GmbH | 230-| 318 Harrison St. | | Deutschherrnstr. 15-19 | 230-| Oakland, CA 94607 | | 90429 Nuernberg | 230-| USA | | Germany | 230-+------------------------------+ +------------------------------+ 230-| Tel: +1-510-628-3380 | | Tel: +49-911-740530 | 230-| FAX: +1-510-628-3381 | | FAX: +49-911-7417755 | 230-+------------------------------+ +------------------------------+ 230-| http://www.suse.com/ | | http://www.suse.de/ | 230-+------------------------------+ +------------------------------+ 230-Please make sure to read pub/INDEX before sending mail to 230-ftpadmin@suse.com 230- 230-User limit: 600 - consider using a mirror-site: 230-http://www.suse.de/en/support/download/ftp/int_mirrors.html (Int.) 230-http://www.suse.de/en/support/download/ftp/germ_mirrors.html (DE) 230- 230-Users from Europe (in particular German universities): 230-ftp://ftp.gwdg.de/pub/linux/suse/ 230-ftp://ftp.leo.org/pub/comp/os/unix/linux/suse/suse/ 230-ftp://ftp.uni-kl.de/pub/linux/suse/ 230- 230-If you are experiencing any problems with this server, please email 230-ftpadmin@suse.com. 230- 230 Login successful. Have a lot of fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV.
-------------------------------------------------- -------------------------------------------------- -----snip------ #My Firewall config for FTP
# FTP OUT Control-Connection
iptables -A OUTPUT -p TCP --sport $p_high --dport ftp -j ACCEPT iptables -A INPUT -p TCP --dport $p_high --sport ftp ! --syn -j ACCEPT
# FTP OUT Passive Data-Connection
iptables -A OUTPUT -p TCP --sport $p_high --dport $p_high -j ACCEPT iptables -A INPUT -p TCP --dport $p_high --sport $p_high ! --syn -j ACCEPT
# MASQUERADING
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT iptables -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT
-----snap----- ---------------------------------------------------------------------- ----------------------------------------------------------------------
tcpdump -i ippp0
19:59:13.290242 217.4.250.8.filenet-tms > 213.95.15.193.domain: 2909 A? ftp.suse.com. (30) (DF) 19:59:13.345807 213.95.15.193.domain > 217.4.250.8.filenet-tms: 2909* 1/2/2 A 217.9.113.66 (132) [tos 0x10] 19:59:13.347190 217.4.250.8.35608 > 217.9.113.66.ftp: S 926670463:926670463(0) win 5840
217.4.250.8.35608: S 840322402:840322402(0) ack 926670464 win 32120 217.9.113.66.ftp: . ack 1 win 5840 (DF) 19:59:13.518270 217.9.113.66.ftp > 217.4.250.8.35608: P 1:249(248) ack 1 win 32120 (DF 19:59:13.518367 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 249 win 6432 (DF) [tos 0x1 19:59:13.518817 217.4.250.8.35608 > 217.9.113.66.ftp: F 1:1(0) ack 249 win 6432 (DF) [ 19:59:13.525785 217.9.113.66.ftp > 217.4.250.8.35608: F 249:249(0) ack 1 win 32120 (DF 19:59:13.526164 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 250 win 6432 (DF) [tos 0x1 19:59:13.572175 217.9.113.66.ftp > 217.4.250.8.35608: . ack 2 win 32120 (DF) 19:59:20.501533 217.4.250.8.35609 > 217.9.113.66.ftp: S 933158888:933158888(0) win 5840 217.4.250.8.35609: S 856735184:856735184(0) ack 933158889 win 32120 217.9.113.66.ftp: . ack 1 win 5840 (DF) 19:59:20.650476 217.9.113.66.ftp > 217.4.250.8.35609: P 1:67(66) ack 1 win 32120 (DF) 19:59:20.650579 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 67 win 5840 (DF) [tos 0x10 19:59:24.856106 217.4.250.8.35609 > 217.9.113.66.ftp: P 1:11(10) ack 67 win 5840 (DF) 19:59:24.896293 217.9.113.66.ftp > 217.4.250.8.35609: . ack 11 win 32120 (DF) 19:59:24.910156 217.9.113.66.ftp > 217.4.250.8.35609: P 67:118(51) ack 11 win 32120 (D 19:59:24.910224 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 118 win 5840 (DF) [tos 0x1 19:59:26.198941 217.4.250.8.35609 > 217.9.113.66.ftp: P 11:25(14) ack 118 win 5840 (DF 19:59:26.261343 217.9.113.66.ftp > 217.4.250.8.35609: P 118:190(72) ack 25 win 32120 ( 19:59:26.261425 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 190 win 5840 (DF) [tos 0x1 19:59:26.277847 217.9.113.66.ftp > 217.4.250.8.35609: P 190:262(72) ack 25 win 32120 ( 19:59:26.277920 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 262 win 5840 (DF) [tos 0x1 19:59:26.294356 217.9.113.66.ftp > 217.4.250.8.35609: P 262:334(72) ack 25 win 32120 ( 19:59:26.294424 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 334 win 5840 (DF) [tos 0x1 19:59:26.310864 217.9.113.66.ftp > 217.4.250.8.35609: P 334:406(72) ack 25 win 32120 ( 19:59:26.310932 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 406 win 5840 (DF) [tos 0x1 19:59:26.521730 217.9.113.66.ftp > 217.4.250.8.35609: P 406:1771(1365) ack 25 win 32120 217.9.113.66.ftp: . ack 1771 win 8190 (DF) [tos 0x 19:59:26.523495 217.4.250.8.35609 > 217.9.113.66.ftp: P 25:31(6) ack 1771 win 8190 (DF 19:59:26.599132 217.9.113.66.ftp > 217.4.250.8.35609: P 1771:1790(19) ack 31 win 32120 19:59:26.638231 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1790 win 8190 (DF) [tos 0x 19:59:29.151684 217.4.250.8.35609 > 217.9.113.66.ftp: P 31:56(25) ack 1790 win 8190 (D 19:59:29.208498 217.9.113.66.ftp > 217.4.250.8.35609: P 1790:1841(51) ack 56 win 32120 19:59:29.208584 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1841 win 8190 (DF) [tos 0x 19:59:29.208840 217.4.250.8.35609 > 217.9.113.66.ftp: P 56:62(6) ack 1841 win 8190 (DF 19:59:29.257378 217.9.113.66.ftp-data > 217.4.250.8.35610: S 870057160:870057160(0) win 32120 217.4.250.8.35609: . ack 62 win 32120 (DF) 19:59:32.304569 217.9.113.66.ftp-data > 217.4.250.8.35610: S 870057160:870057160(0) win 32120 Which Ports must I open?
Thanks for Your config or Help
Roland
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
![](https://seccdn.libravatar.org/avatar/3315311bb8e9e2e94780da1ac1b7f51d.jpg?s=120&d=mm&r=g)
Hello Roland, * Roland Türk wrote on 25 Jan 2003:
Hello,
Sorry, my English is not so good! I have write my Firewall with Iptables.I can connect an FTP Server but not make a ls or dir.
Have a look at http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html Short digest: Filtering FTP with IPTABLEs is quite simple. You just must load the module "ip_conntrack_ftp". To allow generel access, do this: iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT Have a look at --state, that's important. Active FTP: iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT Passive FTP: iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT Filtering FTP without stateful packet filtering, is really bad. (I think, if you do generally a iptables -A OUTPUT --state ESTABLISHED, RELATED -j ACCEPT FTP-filtering would be just a few rules :-) ) Greetz, Tom -- Preissler Thomas Registered Linux User #265745 GPG-Key: 1024D/C21DAB7F http://counter.li.org/ Some people, when confronted with a problem, think 'I know, I'll use regular expressions.' Now they have two problems. -- Jamie Zawinski, alt.religion.emacs (08/12/1997)
![](https://seccdn.libravatar.org/avatar/360c89473e19c7f8c9fe5ca60e12f8ce.jpg?s=120&d=mm&r=g)
* Roland Türk wrote on Sat, Jan 25, 2003 at 20:03 +0100:
I have write my Firewall with Iptables.I can connect an FTP Server but not make a ls or dir. ftp> dir 200 PORT command successful. Consider using PASV.
And, did you considered using PASV? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
Roland T�rk
-
Steffen Dettmer
-
Thomas Preissler
-
Wagner Sartori Junior