Re: FTP Connection problems.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Vincent Blondel wrote:
Thanks a lot for all the details but I still get some problems. As I
said it all the netfilter source code is compiled in a custom kernel
without any modules.

Concerning the little iptables script I have written, I updated it with
your comments and now I get the next script 

[snip]

if [ "$CONN_TRACK" = "1" ]; then
        $fw -A INPUT -m state --state ESTABLISHED -j ACCEPT
        $fw -A OUTPUT -m state --state ESTABLISHE -j ACCEPT
        $fw -A FORWARD -m state --state ESTABLISHED -j ACCEPT
        $fw -A INPUT -p icmp -m state --state RELATED -j ACCEPT
fi


Add these too:

$fw -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT
$fw -A FORWARD -p icmp -m state --state RELATED -j ACCEPT

... but the connection takes a long time to terminate. If I disable all
the rules, ftp connection goes directly but with iptables enabled it
takes such 8 seconds to accomplish the annonymomus connection ( with
data port and passive models ).

What is this all about ???

You could use a bit of logging. Add these as last rules (at the very end of your script):

iptables -A INPUT -j LOG --log-prefix "INPUT "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT "
iptables -A FORWARD -j LOG --log-prefix "FORWARD "

Logs will go wherever your kernel logs go.  Usually /var/log/messages.

Since these will be at the end of your rules, they will log all packets dropped by policy just before they are dropped. My guess is that you will either find TCP SYN packets to port 113 (ident) or UDP packets to port 53 (DNS).

To silently disable ident (incoming and outgoing) on FTP server, you could do something like this (you can add line for FORWARDED packets, if you wish):

iptables -A INPUT -p tcp --sport 1024: --dport 113 \
   -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp --sport 1024: --dport 113 \
   -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp --sport 113 --dport 1024: \
   -m state --state RELATED -j ACCEPT

If you want your FTP server to be able to resolve names and reverse lookup IP addresses:

iptables -A OUTPUT -p udp --sport 1024: --dport 53 \
   -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 53 \
   -m state --state NEW -j ACCEPT

(you can add IP address(es) of your DNS server(s) there)

--
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux