Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] IPTABLES Rule for Passive FTP
  • From: "Marc Samendinger" <marc.samendinger@xxxxxxxxxxxx>
  • Date: Tue, 29 Jul 2003 15:32:51 +0200
  • Message-id: <02631EB8007CF7488B0A7D4B6BF921CE0346D2@xxxxxxxxxxxxxxxxxxxxx>
> -----Original Message-----
> From: Knut Erik Hauslo [mailto:KNUTH@xxxxxxxxxxxx]
> Sent: Tuesday, July 29, 2003 2:57 PM
>
>
> Hi all,

Hi Knut,

> I need to create a rule with IPTABLES which only allows
> passive FTP. The
> following lines accomplishes this:
>
> set IPTABLES = "/usr/sbin/iptables"
> # Control Connection
> $IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport
> 1024:65535 --dport ftp -j ACCEPT
> # Data Connection
> $IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport
> 1024:65535 --dport 1024:65535 -j ACCEPT
>
> There are more rules than only the lines above, but they are
> intentionally left out.

No problem, should be enough :)

> My problem is, that this open the firewall from internal with source
> port >= 1024 and destination port >= 1024 which typicalliy is
> used only
> by passive ftp data connection. This behaviour is by
> recommendation not
> wanted.
>
> Is there a way to accomplish that data connection only be allowed when
> FTP control connection has taken place before hand?

Yep, my Rules for passive FTP look like this

$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 21
-m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $j --sport 21 -d $i --dport 1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $j --sport 1024:65535 -d $i --dport 1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT

Where $i is the ftp client and $j the ftp server.
For this to work correctly you need to load the ftp conntrack
helper module.

> Cheers
> Knut Erik

HTH

marc

< Previous Next >