Firewall and FTP

tsweatt · 04-21-2004, 06:56 PM

Running a linux firewall (mandrake 9.2) to let us selectively use either our campus LAN or our cable modem. Its working great, but I can't seem to get FTP to work correctly.

Here's what happens when I try to connect to any FTP site (and I've tried more than 5):

C:\>ftp
ftp> open
To ftp.*********.net
Connected to ftp.********.net.
220 *********.net FTP Server v3.0 for WinSock ready...
User (ftp.********.net

none)): notrelevant
331 User name okay, need password.
Password:
230 User logged in, proceed.
ftp> dir
Connection closed by remote host.
ftp>

Here's the firewall script for that interface:

Code:

#!/bin/bash
IPT=/sbin/iptables

$IPT -N OUT_MU
$IPT -A OUT_MU -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUT_MU -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

#---TCP---#
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 20:21     -j ACCEPT        #FTP
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 22        -j ACCEPT        #SSH
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 23        -j ACCEPT        #TELNET
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 25        -j ACCEPT        #SMTP
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 80        -j ACCEPT        #HTTP
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 110       -j ACCEPT        #POP3
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 143       -j ACCEPT        #IMAP
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 443       -j ACCEPT        #HTTPS
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 445       -j ACCEPT        #MICROSOFT_DS
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 682       -j ACCEPT        #AWW-2-DSP
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 684       -j ACCEPT        #TERMINAL-TO-SAVANNAH
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 1433      -j ACCEPT        #SQL-SERVER
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 3389      -j ACCEPT        #TERMINAL-SERVICES
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 4000      -j ACCEPT        #REALM GAMES
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 6112:6119 -j ACCEPT        #REALM GAMES
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 6666:6669 -j ACCEPT        #IRC
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 7000      -j ACCEPT        #IRC
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 8008      -j ACCEPT        #WEBDAV-TO-WEBBY
$IPT -A OUT_MU -m state --state NEW -p tcp --dport 51443     -j ACCEPT        #NETSTORAGE

#---UDP---#
$IPT -A OUT_MU -m state --state NEW -p udp --dport 20:21     -j ACCEPT        #FTP
$IPT -A OUT_MU -m state --state NEW -p udp --dport 53        -j ACCEPT        #DNS
$IPT -A OUT_MU -m state --state NEW -p udp --dport 4000      -j ACCEPT        #REALM GAMES
$IPT -A OUT_MU -m state --state NEW -p udp --dport 6112:6119 -j ACCEPT        #REALM GAMES

#---ICMP---#
$IPT -A OUT_MU -p icmp                                       -j OUT_ICMP
$IPT -A OUT_MU                                               -j DROP

echo *********-OUT_MU added

Any help would be appriciated.

AutOPSY · 04-22-2004, 04:05 AM

Connection closed by remote host.

It may be their side.

ugge · 04-22-2004, 07:06 AM

Have you opened up port 20 (ftp-data) for incomming connection? In the INPUT chain.
Unless this port is open you can connect and send commands but not recieve data.
An exception is if you use passive ftp connection, in which case both connections (command and data) are open from within the firewall.