my English is not good too... :) look. The FTP server, need a PASSIVE connection. This is done by a FTP-DATA port(port 20). Try to free this port in IPTables too, and everything works fine(I hope so)! the other option is to work in FTP with passive mode disable. good luck Wagner Sartori Junior ----- Original Message ----- From: "Roland Türk" To: Sent: Saturday, January 25, 2003 5:03 PM Subject: [suse-security] Firewall with Iptables

Hello,

Sorry, my English is not so good! I have write my Firewall with Iptables.I can connect an FTP Server but not make a ls or dir.

linux:~ # ftp ftp.suse.com Connected to ftp.suse.com (217.9.113.66). 220 "Welcome to the SuSE ftp server: Please login as user 'ftp'" Name (ftp.suse.com:root): ftp 331 Please send your email address as a password. Password: 230-+----------------------------------------------------------------+ 230-| Welcome to the SuSE Linux FTP archives in Nürnberg Germany | 230-+----------------------------------------------------------------+ 230-+------------------------------+ +------------------------------+ 230-| SuSE Inc. | | SuSE GmbH | 230-| 318 Harrison St. | | Deutschherrnstr. 15-19 | 230-| Oakland, CA 94607 | | 90429 Nuernberg | 230-| USA | | Germany | 230-+------------------------------+ +------------------------------+ 230-| Tel: +1-510-628-3380 | | Tel: +49-911-740530 | 230-| FAX: +1-510-628-3381 | | FAX: +49-911-7417755 | 230-+------------------------------+ +------------------------------+ 230-| http://www.suse.com/ | | http://www.suse.de/ | 230-+------------------------------+ +------------------------------+ 230-Please make sure to read pub/INDEX before sending mail to 230-ftpadmin@suse.com 230- 230-User limit: 600 - consider using a mirror-site: 230-http://www.suse.de/en/support/download/ftp/int_mirrors.html (Int.) 230-http://www.suse.de/en/support/download/ftp/germ_mirrors.html (DE) 230- 230-Users from Europe (in particular German universities): 230-ftp://ftp.gwdg.de/pub/linux/suse/ 230-ftp://ftp.leo.org/pub/comp/os/unix/linux/suse/suse/ 230-ftp://ftp.uni-kl.de/pub/linux/suse/ 230- 230-If you are experiencing any problems with this server, please email 230-ftpadmin@suse.com. 230- 230 Login successful. Have a lot of fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV.

-------------------------------------------------- -------------------------------------------------- -----snip------ #My Firewall config for FTP

# FTP OUT Control-Connection

iptables -A OUTPUT -p TCP --sport $p_high --dport ftp -j ACCEPT iptables -A INPUT -p TCP --dport $p_high --sport ftp ! --syn -j ACCEPT

# FTP OUT Passive Data-Connection

iptables -A OUTPUT -p TCP --sport $p_high --dport $p_high -j ACCEPT iptables -A INPUT -p TCP --dport $p_high --sport $p_high ! --syn -j ACCEPT

# MASQUERADING

iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT iptables -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j ACCEPT

iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT

-----snap----- ---------------------------------------------------------------------- ----------------------------------------------------------------------

tcpdump -i ippp0

19:59:13.290242 217.4.250.8.filenet-tms > 213.95.15.193.domain: 2909 A? ftp.suse.com. (30) (DF) 19:59:13.345807 213.95.15.193.domain > 217.4.250.8.filenet-tms: 2909* 1/2/2 A 217.9.113.66 (132) [tos 0x10] 19:59:13.347190 217.4.250.8.35608 > 217.9.113.66.ftp: S 926670463:926670463(0) win 5840 217.4.250.8.35608: S 840322402:840322402(0) ack 926670464 win 32120 217.9.113.66.ftp: . ack 1 win 5840 (DF) 19:59:13.518270 217.9.113.66.ftp > 217.4.250.8.35608: P 1:249(248) ack 1 win 32120 (DF 19:59:13.518367 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 249 win 6432 (DF) [tos 0x1 19:59:13.518817 217.4.250.8.35608 > 217.9.113.66.ftp: F 1:1(0) ack 249 win 6432 (DF) [ 19:59:13.525785 217.9.113.66.ftp > 217.4.250.8.35608: F 249:249(0) ack 1 win 32120 (DF 19:59:13.526164 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 250 win 6432 (DF) [tos 0x1 19:59:13.572175 217.9.113.66.ftp > 217.4.250.8.35608: . ack 2 win 32120 (DF) 19:59:20.501533 217.4.250.8.35609 > 217.9.113.66.ftp: S 933158888:933158888(0) win 5840 217.4.250.8.35609: S 856735184:856735184(0) ack 933158889 win 32120 217.9.113.66.ftp: . ack 1 win 5840 (DF) 19:59:20.650476 217.9.113.66.ftp > 217.4.250.8.35609: P 1:67(66) ack 1 win 32120 (DF) 19:59:20.650579 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 67 win 5840 (DF) [tos 0x10 19:59:24.856106 217.4.250.8.35609 > 217.9.113.66.ftp: P 1:11(10) ack 67 win 5840 (DF) 19:59:24.896293 217.9.113.66.ftp > 217.4.250.8.35609: . ack 11 win 32120 (DF) 19:59:24.910156 217.9.113.66.ftp > 217.4.250.8.35609: P 67:118(51) ack 11 win 32120 (D 19:59:24.910224 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 118 win 5840 (DF) [tos 0x1 19:59:26.198941 217.4.250.8.35609 > 217.9.113.66.ftp: P 11:25(14) ack 118 win 5840 (DF 19:59:26.261343 217.9.113.66.ftp > 217.4.250.8.35609: P 118:190(72) ack 25 win 32120 ( 19:59:26.261425 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 190 win 5840 (DF) [tos 0x1 19:59:26.277847 217.9.113.66.ftp > 217.4.250.8.35609: P 190:262(72) ack 25 win 32120 ( 19:59:26.277920 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 262 win 5840 (DF) [tos 0x1 19:59:26.294356 217.9.113.66.ftp > 217.4.250.8.35609: P 262:334(72) ack 25 win 32120 ( 19:59:26.294424 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 334 win 5840 (DF) [tos 0x1 19:59:26.310864 217.9.113.66.ftp > 217.4.250.8.35609: P 334:406(72) ack 25 win 32120 ( 19:59:26.310932 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 406 win 5840 (DF) [tos 0x1 19:59:26.521730 217.9.113.66.ftp > 217.4.250.8.35609: P 406:1771(1365) ack 25 win 32120 217.9.113.66.ftp: . ack 1771 win 8190 (DF) [tos 0x 19:59:26.523495 217.4.250.8.35609 > 217.9.113.66.ftp: P 25:31(6) ack 1771 win 8190 (DF 19:59:26.599132 217.9.113.66.ftp > 217.4.250.8.35609: P 1771:1790(19) ack 31 win 32120 19:59:26.638231 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1790 win 8190 (DF) [tos 0x 19:59:29.151684 217.4.250.8.35609 > 217.9.113.66.ftp: P 31:56(25) ack 1790 win 8190 (D 19:59:29.208498 217.9.113.66.ftp > 217.4.250.8.35609: P 1790:1841(51) ack 56 win 32120 19:59:29.208584 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1841 win 8190 (DF) [tos 0x 19:59:29.208840 217.4.250.8.35609 > 217.9.113.66.ftp: P 56:62(6) ack 1841 win 8190 (DF 19:59:29.257378 217.9.113.66.ftp-data > 217.4.250.8.35610: S 870057160:870057160(0) win 32120 217.4.250.8.35609: . ack 62 win 32120 (DF) 19:59:32.304569 217.9.113.66.ftp-data > 217.4.250.8.35610: S 870057160:870057160(0) win 32120

Which Ports must I open?

Thanks for Your config or Help

Roland

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

* Roland Türk wrote on Sat, Jan 25, 2003 at 20:03 +0100:

I have write my Firewall with Iptables.I can connect an FTP Server but not make a ls or dir. ftp> dir 200 PORT command successful. Consider using PASV.

And, did you considered using PASV? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.