Hi I've got ip_conntrack running,
My server hosts FTP accounts and I also need outgoing ftp ...
No problems accessing the ftp hosted on this server, but can't do a CWD
(ls) from this server to another external ftp server unless the firewall
is disactivated.
I guess you are going to say most of my settings are useless but here
goes my current settings :
-------------------------
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTAB
LISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
LOG_ACCEPT tcp -- anywhere anywhere tcp dpt:2022
LOG_ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:whois
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:8880
ACCEPT tcp -- anywhere anywhere tcp dpt:42630
ACCEPT udp -- anywhere anywhere udp dpt:42630
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT all -- localhost.localdomain anywhere
icmp_packets icmp -- anywhere anywhere
LOG_DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
flags:S
YN,RST,ACK/SYN
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTAB
LISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:2022
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:whois
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT all -- anywhere localhost.localdomain
icmp_packets icmp -- anywhere anywhere
LOG_DROP all -- anywhere anywhere
Chain LOG_ACCEPT (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning t
cp-options ip-options prefix `[IPTABLES ACCEPT] : '
ACCEPT all -- anywhere anywhere
Chain LOG_DROP (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning t
cp-options ip-options prefix `[IPTABLES DROP] : '
DROP all -- anywhere anywhere
Chain icmp_packets (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg
1/sec bu
rst 1
LOG icmp -- anywhere anywhere limit: avg
1/sec bu
rst 1 LOG level warning prefix `PING-DROP: '
--------------
Thanks for any suggestions !
Richard
Martijn Lievaart a écrit :
Richard wrote:
Hello, this is my first message so I hope I'm doing this right ! :)
I've got iptables setup and running well on my server and up to now
I've not had any problems, however I have just installed a backup
system which needs to connect by FTP to a distant server.
With my firewall disactivated all works fine, however with the
firewall activated when I use the "ls" command of the debian ftp
command line package (CWD) I get:
200 ok then a long wait then :
421 Service not available, remote server has closed connection.
I've tried this on two different FTP's and it only works if the
firewall is disactivated.
One server is a plesk server but the server I need to connect to I do
not know much about, with filezilla on my pc I've managed to connect
to it with both FTP active and FTP passive so I guess it can do both.
On my server I just do :
ftp ftp.server.com
username
password
So I'm not sure if it connects as passive or active.
These are the ports that I have got open :
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
You don't need this (see below), but it is wrong anyhow. Active ftp uses
SOURCE port 20, not destination port 20. Most guides on the inuhnet
thingie get this wrong.
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
Do you also want to accept FTP connections? You don't need this to make
outgoing connections.
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
This is nonsense.
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
This is the only rule you need to make outgoing FTP connections.
Which ports do you suggest I should open to connect to this FTP server ?
It's not only about static ports. FTP uses dynamic ports as well that
must be tracked by a helper. Modprobe nf_contrack_ftp (ip_contrack_ftp
on older kernels) and all should be well.
HTH,
M4
