non-standard FTP ports and connection tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi. I have a small problem with ftp_conntrack module (I guess).

Scenario:
======
I run iptables 1.2.6a and an ftp server (publicfile) on a machine 
directly connected to the Internet. Connection tracking works fine when 
the ftp server listens on the standard port (21), but seems to break 
when I set the ftp server to listen to a non-standard high port (say, 
2121).

I set both incoming and outgoing default action to DROP, load the 
connection tracking modules in my firewall script:

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

and try to allow traffic for my ftp server only.

What happens:
=========

If the ftp server uses port 21 (standard setup), it works fine:

[] ftpd listening on port 21
[] client connects -> connection from high port to my 21 is established
[] client requests directory listing -> connection from my high port to 
another high port of the client is established

Rules: (all defaults are DROP)
=================

## Allow connections to our ftp server
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

## Allow data for incoming FTP to return back to sender
/sbin/iptables -A OUTPUT -p tcp --sport 21 --dport 1024: -m state 
- --state ESTABLISHED,RELATED -j ACCEPT

## Allow outgoing FTP (data) + HTTP replies
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state 
- --state ESTABLISHED,RELATED -j ACCEPT


The problem:
========

But, when I set the server to listen to port 2121...:

[] ftpd listens on 2121
[] client connects -> connection from high port to my 2121 established
[] client requests directory listing -> netfilter drops packets for the 
new (but related) connection that tries to be established, and user 
never sees the directory listing. Last packets that gets through is the 
one that carries the "150 Making transfer connection..." message.

The rules in this case have only the port number changed, but here they 
are in case I'm doing something wrong:

## Allow connections to our ftp server
/sbin/iptables -A INPUT -p tcp --dport 2121 -j ACCEPT

## Allow outgoing FTP (data) + HTTP replies!
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state 
- --state ESTABLISHED,RELATED -j ACCEPT

## Allow data for incoming FTP to return back to sender
/sbin/iptables -A OUTPUT -p tcp --sport 2121 --dport 1024: -m state 
- --state ESTABLISHED,RELATED -j ACCEPT


Any ideas?

- -A
- -- 
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F  D78C 8260 0CC1 0B75 8265
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE99Q8ugmAMwQt1gmURApAKAJwJtYh0HFT9A5IX2xI8hVICwydt8QCeNLti
lE569iwhEPzYdRw4zHnsWAQ=
=TM8O
-----END PGP SIGNATURE-----




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux