To have an ftp server on a DMZ segment (behind the fw) I need to open 21/tcp, syn=1 and all ports above 1024/tcp, syn=1 to the FTP server IP. For me it is very bad because I have other services running on the ftp server box that cannot be reached by the world.
My question: There is and application filter extension for ftp_server that interact with iptables/ipfilter for handle dynamically inbound/reverse passive mode ftp connections based on a established ftp control channel (21/tcp), to a ftp server on the DMZ. (make statefull filtering based on the first connection established to 21/tcp port).
For example I only create the inbound rule in the fw for the ftp server in DMZ (allow any tcp 21 syn) an this application filter open the reverse socket for inbound passive connections, that require syn=1 in ports above 1024/tcp. So only sources that have a established ftp session (21/tcp) with the ftp server can see ports above 1024, and only the port handled by the control session on port 21/tcp.
PS: For outbound connections via NAT/iptables there is "ip_nat_ftp" module to make ftp clients to work in passive and port mode, OK! I want inbound statefull filtering for a ftp server.
It is done exactly the same way for inbound (server) as you would do for outbound (client) connections. This is just a hint, modify to match your configuration/needs:
-A INPUT -p tcp --sport 1024: --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 1024: --dport 1024: -m helper --helper ftp -m state --state RELATED -j ACCEPT
-A OUTPUT -p tcp --sport 20 --dport 1024: -m helper --helper ftp -m state --state RELATED -j ACCEPT
Add additional options to restrict it further (interfaces, IP addresses/ranges, and so on) as you need.
You need to manually load ip_conntrack_ftp and/or ip_nat_ftp (depending if you need it to work over NAT) for above to work.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
