PASV rules opening up my high-ports - Whoops - sent the first one in HTML

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Howdy,

Thanks in advance for reading this, if this is a common issue, I apologize ?
but could you point me to a searchable archive so I don?t bug this list with
previously asked questions?

Anyways ? here goes ?

I?ve got rules for FTP inbound/outbound for both PORT and PASV connections.
I?m also running MySQL, which defaults to port 3306.

If FTP PASV rules are enabled, either as a server or client, it seems all my
high ports are open to be connected to.  I?ve tried enforcing state, but I
end up either breaking the rule so that FTP doesn?t work, or I end up
opening the high-ports again.

Is there a way to fix this by developing a better rule? Or should I limit my
PASV ports to a range that does not overlap with other services?

Here are the related rules ? (the PASV rules are commented out)

#
# General rules
#
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

#################################################################
# Kernel configuration section and cleansing of the filter, nat,#
# and mangle tables                                             #
#################################################################
echo -n $"clearing old rules from tables:"

$IPTABLES -F && \
$IPTABLES -t filter -F INPUT && \
$IPTABLES -t filter -F FORWARD && \
# commands to zero chain counters - needed on restart
$IPTABLES -X
$IPTABLES -t filter -Z && \

success $"clearing old rules from tables" || \
failure $"clearing old rules from tables"
echo

# set all filtering to DROP as default
echo -n $"setting default rules to DROP: "

# used to be IPTABLES -t filter -P ...

$IPTABLES -P INPUT DROP && \
$IPTABLES -P FORWARD DROP && \
$IPTABLES -P OUTPUT DROP  && \

success $"setting default rules to DROP" || \
failure $"setting default rules to DROP"
echo

#
# FTP RULES
#

if [[ $FTP_client == 1 ]] ; then
        echo -n $"adding FTP client rules: "

        # Outgoing Request

        $IPTABLES -A INPUT -i $IFACE -p tcp \
                        -s any/0 --sport 21 \
                        -d $LOCAL_IP --dport 1024: \
                        -m state --state ESTABLISHED \
                        -j ACCEPT &&\
        $IPTABLES -A OUTPUT -o $IFACE -p tcp \
                        -s $LOCAL_IP --sport 1024: \
                        -d any/0 --dport 21 \
                        -m state --state NEW,ESTABLISHED \
                        -j ACCEPT &&\

        # PORT FTP Connections

        $IPTABLES -A INPUT -i $IFACE -p tcp \
                        -s any/0 --sport 20 \
                        -d $LOCAL_IP --dport 1024: \
                        -m state --state ESTABLISHED,RELATED \
                        -j ACCEPT &&\
        $IPTABLES -A OUTPUT -o $IFACE -p tcp \
                        -s $LOCAL_IP --sport 1024: \
                        -d any/0 --dport 20 \
                        -m state --state ESTABLISHED \
                        -j ACCEPT &&\

        # PASV FTP Connections

#       $IPTABLES -A INPUT -i $IFACE -p tcp \
#                       -s any/0 --sport 1024: \
#                       -d $LOCAL_IP --dport 1024: \
#                       -m state --state ESTABLISHED \
#                       -j ACCEPT &&\
#       $IPTABLES -A OUTPUT -o $IFACE -p tcp \
#                       -s $LOCAL_IP --sport 1024: \
#                       -d any/0 --dport 1024: \
#                       -m state --state ESTABLISHED,RELATED \
#                      -j ACCEPT &&\

        success $"adding FTP client rules" || \
        failure $"adding FTP client rules"
        echo
fi

Thanks again,

James



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux