PASV rules opening up my high-ports!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Howdy,

 

Thanks in advance for reading this, if this is a common issue, I apologize – but could you point me to a searchable archive so I don’t bug this list with previously asked questions?

 

Anyways – here goes …

 

I’ve got rules for FTP inbound/outbound for both PORT and PASV connections.  I’m also running MySQL, which defaults to port 3306.

 

If FTP PASV rules are enabled, either as a server or client, it seems all my high ports are open to be connected to.  I’ve tried enforcing state, but I end up either breaking the rule so that FTP doesn’t work, or I end up opening the high-ports again.

 

Is there a way to fix this by developing a better rule? Or should I limit my PASV ports to a range that does not overlap with other services?

 

Here are the related rules … (the PASV rules are commented out)

 

#

# General rules

#

modprobe ip_tables

modprobe ip_conntrack

modprobe ip_conntrack_ftp

 

#################################################################

# Kernel configuration section and cleansing of the filter, nat,#

# and mangle tables                                             #

#################################################################

echo -n $"clearing old rules from tables:"

 

$IPTABLES -F && \

$IPTABLES -t filter -F INPUT && \

$IPTABLES -t filter -F FORWARD && \

# commands to zero chain counters - needed on restart

$IPTABLES -X

$IPTABLES -t filter -Z && \

 

success $"clearing old rules from tables" || \

failure $"clearing old rules from tables"

echo

 

# set all filtering to DROP as default

echo -n $"setting default rules to DROP: "

 

# used to be IPTABLES -t filter -P ...

 

$IPTABLES -P INPUT DROP && \

$IPTABLES -P FORWARD DROP && \

$IPTABLES -P OUTPUT DROP  && \

 

success $"setting default rules to DROP" || \

failure $"setting default rules to DROP"

echo

 

#

# FTP RULES

#

 

if [[ $FTP_client == 1 ]] ; then

        echo -n $"adding FTP client rules: "

 

        # Outgoing Request

 

        $IPTABLES -A INPUT -i $IFACE -p tcp \

                        -s any/0 --sport 21 \

                        -d $LOCAL_IP --dport 1024: \

                        -m state --state ESTABLISHED \

                        -j ACCEPT &&\

        $IPTABLES -A OUTPUT -o $IFACE -p tcp \

                        -s $LOCAL_IP --sport 1024: \

                        -d any/0 --dport 21 \

                        -m state --state NEW,ESTABLISHED \

                        -j ACCEPT &&\

 

        # PORT FTP Connections

 

        $IPTABLES -A INPUT -i $IFACE -p tcp \

                        -s any/0 --sport 20 \

                        -d $LOCAL_IP --dport 1024: \

                        -m state --state ESTABLISHED,RELATED \

                        -j ACCEPT &&\

        $IPTABLES -A OUTPUT -o $IFACE -p tcp \

                        -s $LOCAL_IP --sport 1024: \

                        -d any/0 --dport 20 \

                        -m state --state ESTABLISHED \

                        -j ACCEPT &&\

 

        # PASV FTP Connections

 

#       $IPTABLES -A INPUT -i $IFACE -p tcp \

#                       -s any/0 --sport 1024: \

#                       -d $LOCAL_IP --dport 1024: \

#                       -m state --state ESTABLISHED \

#                       -j ACCEPT &&\

#       $IPTABLES -A OUTPUT -o $IFACE -p tcp \

#                       -s $LOCAL_IP --sport 1024: \

#                       -d any/0 --dport 1024: \

#                       -m state --state ESTABLISHED,RELATED \

#                      -j ACCEPT &&\

 

        success $"adding FTP client rules" || \

        failure $"adding FTP client rules"

        echo

fi

 

Thanks again,

 

James


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux