[opensuse] Passive FTP with Netfilter/IPTABLES
Hi all, I am learning how to use Netfilter/IPTables. I got active FTP going (Ports 20 & 21), but as soon as I logged in on an external FTP server and want to list the directory, I have no response. I have gathered that the problem is with the passice FTP mode it switches to. How do I cater for passive FTP with an IPTABLES command. The active command in a filters.sh script is: ~~~~~~~ START (part of script) ~~~~~~~~~~ #### variables ##### # net all NET_ALL='0.0.0.0/0' # external interface IF_EXT='eth0' IP_EXT='10.9.8.1' NET_EXT='10.9.8.0/24' BCAST_EXT='10.9.8.255' # internal interface IF_INT='eth1' IP_INT='10.8.0.1' NET_INT='10.8.0.0/24' BCAST_INT='10.8.0.255' ...... # ports p_high='1024:65535' plist_ftp='20 21' ...... # FTP for p_ftp in $plist_ftp; do # use these rules for every port in $plist_ftp iptables -A FORWARD -i $IF_INT -o $IF_EXT -p TCP -s $NET_INT -d $NET_ALL --sport $p_high --dport $p_ftp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $IF_EXT -o $IF_INT -p TCP -s $NET_ALL -d $NET_INT --sport $p_ftp --dport $p_high -m state --state ESTABLISHED -j ACCEPT done ~~~~~~ END ~~~~~~ TIA Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
LLLActive@GMX.Net wrote:
Hi all,
Hi,
I am learning how to use Netfilter/IPTables.
I got active FTP going (Ports 20 & 21), but as soon as I logged in on an external FTP server and want to list the directory, I have no response. I have gathered that the problem is with the passice FTP mode it switches to. How do I cater for passive FTP with an IPTABLES command. The active command in a filters.sh script is:
~~~~~~~ START (part of script) ~~~~~~~~~~
#### variables #####
# net all NET_ALL='0.0.0.0/0'
# external interface IF_EXT='eth0' IP_EXT='10.9.8.1' NET_EXT='10.9.8.0/24' BCAST_EXT='10.9.8.255'
# internal interface IF_INT='eth1' IP_INT='10.8.0.1' NET_INT='10.8.0.0/24' BCAST_INT='10.8.0.255'
......
# ports p_high='1024:65535' plist_ftp='20 21'
......
# FTP for p_ftp in $plist_ftp; do # use these rules for every port in $plist_ftp iptables -A FORWARD -i $IF_INT -o $IF_EXT -p TCP -s $NET_INT -d $NET_ALL --sport $p_high --dport $p_ftp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $IF_EXT -o $IF_INT -p TCP -s $NET_ALL -d $NET_INT --sport $p_ftp --dport $p_high -m state --state ESTABLISHED -j ACCEPT done
~~~~~~ END ~~~~~~
I'm assuming you have a firewall behind your FTP Server and are using SuSEfirewall2. Try to add "ip_conntrack_ftp" to your FW_LOAD_MODULES option on /etc/sysconfig/SuSEfirewall2. You may also need to add "ip_nat_ftp"... restart your firewall afterwards.
TIA
Rui
Al
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2008-10-09 at 11:44 +0100, Rui Santos wrote:
I am learning how to use Netfilter/IPTables.
I got active FTP going (Ports 20 & 21), but as soon as I logged in on an external FTP server and want to list the directory, I have no response. I have gathered that the problem is with the passice FTP mode it switches to. How do I cater for passive FTP with an IPTABLES command. The active command in a filters.sh script is:
~~~~~~~ START (part of script) ~~~~~~~~~~
#### variables #####
I'm assuming you have a firewall behind your FTP Server and are using SuSEfirewall2.
No, he is using iptables manually, thus his script >:-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjt51MACgkQtTMYHG2NR9WvKwCfdDu5hbHrtdbRh/SFGLS0S0we GaIAnRbwqPIII8MDzWd8W1bGMXSYiIah =pAjh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
I'm assuming you have a firewall behind your FTP Server and are using SuSEfirewall2.
No, he is using iptables manually, thus his script >:-)
- -- Cheers, Carlos E. R.
Right Carlos, it is manually installed with 'bash filter-rules.sh' Rui Santos wrote:
Try to add "ip_conntrack_ftp" to your FW_LOAD_MODULES option on /etc/sysconfig/SuSEfirewall2. You may also need to add "ip_nat_ftp"...
restart your firewall afterwards.
TIA
Rui
But what Rui mentions about ip_conntrack_ftp is something I read elsewhere as well. What does it do, and what does 'ip_nat_ftp' do? When I do a: 'modprobe -v ip_conntrack_ftp' or a 'modprobe -v ip_nat_ftp' I get no response or verbose output. ######## Start ######## S:/etc/firewall # modprobe -v ip_conntrack_ftp S:/etc/firewall # modprobe -vl ip_* /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_wlc.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_lblc.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_rr.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_lblcr.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_sed.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_dh.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_sh.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_nq.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_wrr.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_ftp.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_lc.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/netfilter/ip_queue.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/netfilter/ip_tables.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ip_gre.ko S:/etc/firewall # modprobe -v ip_nat_ftp S:/etc/firewall # modprobe -vl ip_* /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_wlc.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_lblc.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_rr.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_lblcr.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_sed.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_dh.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_sh.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_nq.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_wrr.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_ftp.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ipvs/ip_vs_lc.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/netfilter/ip_queue.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/netfilter/ip_tables.ko /lib/modules/2.6.22.17-0.1-default/kernel/net/ipv4/ip_gre.ko S:/etc/firewall # ######## End ######## -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2008-10-09 at 13:48 +0200, LLLActive@GMX.Net wrote:
But what Rui mentions about ip_conntrack_ftp is something I read elsewhere as well. What does it do, and what does 'ip_nat_ftp' do? When I do a:
Why don't you analyze what the suse firewall does and how? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjt8VwACgkQtTMYHG2NR9Vj4wCePTYy3IJlrBPcAUyuUnxwFn2Z OH8AnjOtNmRe6L3iCtje/og0+AEvaMKx =efZP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Oct 9, 2008 at 1:56 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
But what Rui mentions about ip_conntrack_ftp is something I read elsewhere as well. What does it do, and what does 'ip_nat_ftp' do? When I do a:
Why don't you analyze what the suse firewall does and how?
Yes. I think it could help you a lot of, and this feature is contemplated into it. -- Have a nice day ;-) TooManySecrets ============================ Dijo Confucio: "Exígete mucho a ti mismo y espera poco de los demás. Así te ahorrarás disgustos." ============================ N�����r��y隊Z)z{.�ﮞ˛���m�)z{.��+�Z+i�b�*'jW(�f�vǦj)h���Ǿ��i����� ��
LLLActive@GMX.Net wrote:
Rui But what Rui mentions about ip_conntrack_ftp is something I read elsewhere as well. What does it do, and what does 'ip_nat_ftp' do?
Well, ip_conntrack_ftp "knows" that a certain IP is connected to ftp port. When your ftp client asks for data, the ftp server informs the client that the LISTEN port is xxx but, that xxx port is usually closed by all firewalls, so when the client tries to connect to that xxx port, it gets rejected. This is where ip_conntrack_ftp comes in. It "automatically" allows that IP ( client ) to connect to the xxx port. Of course, the previous will only work if your ftp server is on the firewall machine. If it does not, you will need ip_nat_ftp module to allow that kind of behavior for a private internal IP address ( ftp server ). By all means I am not an iptables GURU. Probably a few other participants will enlighten us all about this subject. PS: ip_conntrack_ftp and ip_nat_ftp are considered an extra security risk. Many ftp servers allows you to use EPSV ( Extended PaSsiVe mode ). In this mode the server will inform the client that it should connect to a xxx port, witch will be in a port range that you provide. This way you can reserve x number of ports just, and only, for FTP passive connections. -- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Carlos E. R. -
LLLActive@GMX.Net -
Rui Santos -
TooMany Secrets