Fw: Problem with connection-tracking and FTP

["Christian Gmeiner" <christian@xxxxxxxxxxxxxx>]

 

----- Original Message -----

From: Christian Gmeiner

To: markee@xxxxxxxxxxxxxxx

Sent: Thursday, January 22, 2004 9:17 AM

Subject: Re: Problem with connection-tracking and FTP

Hmm... this is the output of lsmod:

 

x-factor root # lsmod
Module                  Size  Used by    Not tainted
ipt_MASQUERADE          1496   2  (autoclean)
ipt_state                568 130  (autoclean)
ipt_unclean             7320   2  (autoclean)
ipt_LOG                 3448   6  (autoclean)
ipt_limit                984   6  (autoclean)
ipt_ULOG                3656   1
ip_conntrack_ftp        4016   0  (unused)
iptable_filter          1740   1
ppp_deflate             3288   0  (autoclean)
zlib_inflate           18820   0  (autoclean) [ppp_deflate]
zlib_deflate           18872   0  (autoclean) [ppp_deflate]
bsd_comp                4248   0  (autoclean)
ppp_async               7008   1  (autoclean)
iptable_nat            18648   1  [ipt_MASQUERADE]
ip_conntrack           20776   3  [ipt_MASQUERADE ipt_state ip_conntrack_ftp iptable_nat]
ip_tables              12352  10  [ipt_MASQUERADE ipt_state ipt_unclean ipt_LOG ipt_limit ipt_ULOG iptable_filter iptable_nat]
8139too                15784   1
mii                     2608   0  [8139too]
3c59x                  27792   1

This seems to be ok?!

 

Greets, Christian

 

----- Original Message -----

From: Mark E. Donaldson

To: 'Christian Gmeiner' ; netfilter@xxxxxxxxxxxxxxxxxxx

Sent: Thursday, January 22, 2004 3:12 AM

Subject: RE: Problem with connection-tracking and FTP

Yes.  That would help.  Also do an lsmod to make sure all of the needed modules are loaded.

---

From: Christian Gmeiner [mailto:christian@xxxxxxxxxxxxxx]
Sent: Wednesday, January 21, 2004 3:58 AM
To: markee@xxxxxxxxxxxxxxx; netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: Problem with connection-tracking and FTP

Thanks... I have now used your rule set:

 

    # CONTROL PORT (Active & Passive Mode)
    iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port 21 -m state --state NEW -j LOG --log-prefix "FTP ACCESS -> "
    iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port 21 -m state --state NEW -j ACCEPT
 
    # DATA PORT (Active Mode)
    iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port 20 --destination-port ${UNPRIVPORTS} -m state --state NEW -j LOG  --log-prefix "FTP A-DATA -> "
    iptables -A OUTPUT -o ${EXT_INT} -p tcp --source-port 20 --destination-port ${UNPRIVPORTS} -m state --state NEW -j ACCEPT
 
    # DATA PORT (Passive Mode)
    iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port ${UNPRIVPORTS} -m state --state NEW -j LOG --log-prefix "FTP P-DATA -> "
    iptables -A INPUT -i ${EXT_INT} -p tcp --source-port ${UNPRIVPORTS} --destination-port ${UNPRIVPORTS} -m state --state NEW -j ACCEPT

 

I can connect to the FTP-Server and login... but then wehen the directory listening should come it hangs. I have no idea, why this is so.

Should i post the output of 'iptables -L -n -v --line-numbers'?

 

Thanks, Christian Gmeiner

 

----- Original Message -----

From: Mark E. Donaldson

To: 'Christian Gmeiner' ; netfilter@xxxxxxxxxxxxxxxxxxx

Sent: Wednesday, January 21, 2004 6:32 AM

Subject: RE: Problem with connection-tracking and FTP

It would appear you are assuming the FTP server will choose port 1024 for passive mode ftp.  This is not correct, as it may choose any unprivileged port up to 65535.  That is one problem you are having.  Also, check your syntax for "passive mode".  You have made an error with some not needed colons (:).

Here is a good rule set that will permit all ftp operations - active and passive:

 

######################
# FTP SERVICES
######################

UNPRIVPORTS="1024:65535"

 

# CONTROL PORT (Active & Passive Mode)

$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port 21 -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP ACCESS -> "

$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port 21 -m state --state NEW -j ACCEPT

 

# DATA PORT (Active Mode)
$IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20 --destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP A-DATA -> "

$IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20 --destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT

 

# DATA PORT (Passive Mode)
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP P-DATA -> "

$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j ACCEPT

---

From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Christian Gmeiner
Sent: Tuesday, January 20, 2004 8:01 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Problem with connection-tracking and FTP

Hi everybody.

 

I am working on a little firewall script. Everything works just fine, but i dont get the ftp protocoll working.

 

I call this two function to get ftp working:

 

# ==================================
FTP()
{
    ebegin "Seting rules for active/passive FTP"

 

    # Port 21

 

    iptables -A INPUT     -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

 

    # aktiv
    iptables -A INPUT     -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

 

    # passiv
    iptables -A INPUT     -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT

 

    eend $?
}

 

# ==================================
loadmodules()
{
    ebegin "Try to load needed modules"

 

    /sbin/modprobe ip_tables
    /sbin/modprobe iptable_filter
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ipt_ULOG
    eend $?
}

 

An here my start function

# ==================================
start()
{
    ebegin "Starting Firewall"

 

    loadmodules

 

    einfo "Setting default rules to drop"
    iptables -F
    iptables -X
    iptables -Z
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD

 

    iptables -P FORWARD DROP
    iptables -P INPUT   DROP
    iptables -P OUTPUT  DROP

 

    acceptlocal
    portscan
    proc
    iana
    illigalpackages
    spoofing
    FTP

 

    # set rules
    InOutTCP
    InTCP
    OutTCP
    InOutUDP
    InUDP
    OutUDP

 

    # Erlaube dem Client routen durch NAT (Network Address Translation
    iptables -t nat -A POSTROUTING -o ${EXT_INT} -j MASQUERADE
    echo "1" > /proc/sys/net/ipv4/ip_forward

 

    eend $? "Failed to start Firewall"
}

 

 

And here are the ports i allow with the function InOut*, In*, Out*,...

 

# TCP in+out
#
TCP_IN_OUT="ssh 10000 smtp pop3 http https"

 

# TCP out
#
# 5190 = ICQ
#
TCP_OUT="5190 http https irc 25 ftp ftp-data"

 

# TCP in
#
TCP_IN=""

 

# UDP in+out
#
UDP_IN_OUT="domain ssh 10000 pop3 ssh"

 

# UDP out
#
UDP_OUT="https irc"

 

# UDP in
#
UDP_IN=""

 

 

Oh and here some important functions:

 

# ==================================
InOutTCP()
{
    ebegin "Allowing in and outbound TCP-traffic"

 

    for i in ${TCP_IN_OUT}
    do
        einfo "   <-> Seting TCP "in" and "out" rules for ${i}"

 

        iptables -A INPUT  -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
        iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} --dport 1024: -m state --state ESTABLISHED,RELATED
        iptables -A FORWARD  -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
        iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED

 

        iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
        iptables -A INPUT  -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED
        iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
        iptables -A FORWARD  -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -d ${LAN} -m state --state ESTABLISHED,RELATED
    done

 

    eend $?
}

 

# ==================================
OutTCP()
{
    ebegin "Allowing outbound TCP-traffic"

 

    for i in ${TCP_OUT}
    do
        einfo "   <-> Seting TCP "out" rules for ${i}"

 

        iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
        iptables -A INPUT  -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -m state --state ESTABLISHED,RELATED
        iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
        iptables -A FORWARD  -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -d ${LAN} -m state --state ESTABLISHED,RELATED
    done

 

    eend $?
}

 

I hope somebody can help me.

 

Thanks, Christian Gmeiner