Hmm... My script lacked the ip_conntack_ftp module, and after I added it to my script, it was no longer possible to initiate communication with SPORT >= 1024 and DPORT>=1024 unless it is related and that's how it should behave :-) But now, active ftp has become possible again ... :-S My script looks like this: #!/bin/tcsh # # ------------------------------- # Declare Variables set IPTABLES="/usr/sbin/iptables" set HighPorts = 1024:65535 set EXT = eth1 set INT = eth0 set IF = ($EXT $INT) set INTERNAL = 172.19.0.0/16 set EXTERNAL = 192.168.6.0/24 set LOGHOST = 172.19.2.2 # ------------------------------- # Required Configuration - generall echo "0" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses /sbin/modprobe ip_conntrack_ftp # Configure Interfaces foreach if ($IF) echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians end # ------------------------------------- # Default Policy and Flushing of chains $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -X # ------------------------------------- # Allow local processes $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT # ------------------------------------- # Logging $IPTABLES -A INPUT -p UDP --dport 137 -j DROP $IPTABLES -A INPUT -p UDP --dport 138 -j DROP $IPTABLES -A INPUT -p UDP --dport 139 -j DROP $IPTABLES -A INPUT -p TCP --dport 137 -j DROP $IPTABLES -A INPUT -p TCP --dport 138 -j DROP $IPTABLES -A INPUT -p TCP --dport 139 -j DROP $IPTABLES -A INPUT -p IP -d 172.19.255.255 -j DROP $IPTABLES -A INPUT -p IP -d 255.255.255.255 -j DROP $IPTABLES -N DropList $IPTABLES -A DropList -p ICMP -j LOG --log-prefix "DROP ICMP: " $IPTABLES -A DropList -p UDP -j LOG --log-prefix "DROP UDP : " $IPTABLES -A DropList -p TCP -j LOG --log-prefix "DROP TCP : " $IPTABLES -A DropList -j DROP # -------------------------------------- echo "1" > /proc/sys/net/ipv4/ip_forward # -------------------------------------------------- # Outbound packets, allready established connections $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT # ---------------------------------------------------------- # Inbound packets, allready established outbound connections $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m state --state NEW,INVALID -j DropList $IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXT -o $INT -m state --state INVALID -j DropList # ---------- # Syslogging $IPTABLES -A OUTPUT -o $INT -m state --state NEW -p UDP --sport syslog -d $LOGHOST --dport syslog -j ACCEPT # ------------------ # Forwarding Packets # HTTP - both directions are allowed $IPTABLES -A FORWARD -m state --state NEW -p TCP --dport http -j ACCEPT # Passive FTP, Outbound Control Connection $IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $HighPorts --dport ftp -j ACCEPT # Data Connection $IPTABLES -A FORWARD -o $EXT -m state --state ESTABLISHED,RELATED -p TCP --sport $HighPorts --dport $HighPorts -j ACCEPT # --------------------------------- # What's not explicit allowed, deny $IPTABLES -A INPUT -j DropList $IPTABLES -A FORWARD -j DropList $IPTABLES -A OUTPUT -j DropList # End of script -----Original Message----- From: Marc Samendinger [mailto:marc.samendinger@sp-online.de] Sent: Tuesday, July 29, 2003 3:33 PM To: suse-security@suse.com Subject: Re: [suse-security] IPTABLES Rule for Passive FTP ... SNIP ...

I need to create a rule with IPTABLES which only allows passive FTP. The following lines accomplishes this:

... SNIP ...

My problem is, that this open the firewall from internal with source port >= 1024 and destination port >= 1024 which typicalliy is used only by passive ftp data connection. This behaviour is by recommendation not wanted.

Is there a way to accomplish that data connection only be allowed when

FTP control connection has taken place before hand?

Yep, my Rules for passive FTP look like this $IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $j --sport 21 -d $i --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $j --sport 1024:65535 -d $i --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT Where $i is the ftp client and $j the ftp server. For this to work correctly you need to load the ftp conntrack helper module.