Hi Pascal,
the "-t nat" was a typo in the email.
I wrote the "RELATED" specification because I thought port 20 and the rest of the connections (in passive and active mode)
may be handled by ip_conntrack_ftp and ip_nat_ftp in an "automagically" way. Thats why I was asking about the modules
functionallity.
Anyway, I used your suggestion (which I already knew) and wrote the extra rules for port 20, 1024:, etc.
you wrote:
> You don't need to care about conntrack states in the nat table : only
> the first packet of a NEW connection goes through the nat chains.
I didn't know that, thanks.
Many thanks, problem solved.
--
Ing. Ernesto Silva.
Coordinador de Desarrollo Web y Sistemas Abiertos
Universidad ORT Uruguay.
E-mail: silva@xxxxxxxxxx
Tel: (+598-2) 902-1505 ext. 206
Pascal Hambourg wrote:
Hello,
Ernesto Silva a écrit :
I'm having a problem to access internet ftp servers from my
internal network. I understand the ftp connection but I don't have
enough information about ip_conntrack_ftp and ip_nat_ftp modules, so
here is my situation.
I'm using iptables 1.3.3-3, I have the mentioned modules loaded and
wrote the following rules:
_fwd="iptables -A FORWARD"
_nat="iptables -A POSTROUTING"
Same remark as Baltasar about "-t nat" missing in _nat.
Are you sure you understand the FTP protocol ? When reading your
ruleset, I doubt it.
$_fwd -i $INT_IF -p tcp -s $INT_NET --sport 1024: -o $INET_IF --dport
21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$_fwd -i $INET_IF -p tcp --sport 21 -o $INT_IF -d $INT_NET --dport
1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
You'll never see an FTP control packet (TCP 21) in the RELATED state.
$_nat -p tcp -s $INT_NET --sport 1024: -o $INET_IF --dport 21 -m state
--state NEW,ESTABLISHED,RELATED -j SNAT --to $INET_NIC
You don't need to care about conntrack states in the nat table : only
the first packet of a NEW connection goes through the nat chains.
Are those rules enough?
No. They only allow FTP control connections, not FTP data connections
used for file transfer and directory listing.
From your ruleset, I understand you want to allow FTP between internal
clients and external servers, and nothing else. All right. Be aware that
blocking the useful RELATED ICMP may break things, though.
First, FTP is made of a classic TCP control connection from the client
to the server on port 21. It means the first packet is NEW and all
others are ESTABLISHED, so :
$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
--dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$_fwd -i $INET_IF -o $INT_IF -d $INT_NET -p tcp --sport 21 \
--dport 1024: -m state --state ESTABLISHED -j ACCEPT
$_nat -o $INET_IF -s $INT_NET -p tcp --sport 1024: --dport 21 \
-j SNAT --to $INET_NIC
Second, a TCP active or passive FTP data connection is established
whenever a file transfer or directory listing is needed. Passive data
connections are established from the client to the server with random
unprivileged ports on both sides. Active data connections are
established from the port 20 of the server to an unprivileged random
port of the client. When the ip_conntrack_ftp module is loaded, the
first packet is RELATED (instead of NEW without the module), and all the
others are ESTABLISHED as usual. So :
# passive mode
$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
--dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$_fwd -i $INET_IF -o $INT_IF -d $INT_NET -p tcp --sport 1024: \
--dport 1024: -m state --state ESTABLISHED -j ACCEPT
# active mode
$_fwd -i $INET_IF -o $INT_IF -d $INT_NET -p tcp --sport 20 \
--dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
--dport 20 -m state --state ESTABLISHED -j ACCEPT
No need for any NAT rule, the ip_nat_ftp module will smartly take care
of everything automatically.
But IMHO this is a bit overkill. Here's what I'd use :
# that's for any ESTABLISHED and RELATED traffic, not only FTP
$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$_fwd -i $INET_IF -o $INT_IF -d $INT_NET -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# that's for the first packet of a control connection
$_fwd -i $INT_IF -s $INT_NET -o $INET_IF -p tcp --sport 1024: \
--dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$_nat -o $INET_IF -s $INT_NET -p tcp --sport 1024: --dport 21 \
-j SNAT --to $INET_NIC
Notes about ip_conntrack_ftp and ip_nat_ftp :
1) They only work on plain unencrypted FTP. They don't work on FTPS (FTP
encrypted with TLS/SSL).
2) When using FTP control connections on non standard ports (i.e. other
than 21), you must specify theses ports (as well as port 21 if used too)
in the "ports" parameter of both modules when loading them.
