ftp server + iptables
Hi there,
I know this subject is classic and there are a lot of information about it. I would appreciate if someone could take a look at the following piece of firewall and tell me if it is the best (most secure) solution. I had a feeling that the firewall is to permissive... I want clients to connect to a FTP server both passive and active. Is the following EXACTLY what I need (on the server)? It works without doubts, but is there a more secure solution? Quote:
The policy is DROP. Thanks for your help. |
It would be best to post the whole script so we can see everything that's being loaded
|
You'll need to slightly loosen your passive mode INPUT connection rule, I suspect. The ftp client will initiate a new connection on the passive port. You're allowing only related and established connections.
You should consider restricting the range of ports your ftp server accepts passive mode connections on. Right now, you're using all ephemeral ports. You can restrict it to, say, ports 2000-2099 (thus allowing 100 simultaneous connections) by modifying the relevant options in your ftpd config file, then unblocking ports 2000:2099 in iptables. |
Quote:
Doesn't the server take the port the clients connect to from the PORT command, and consider the new connection as related ? |
Anyway something get stuck somewhere...
I would need some help on this. Thanks a lot |
When the client issues its passive mode request to server port 21, the server will answer with a port number that the client should use for the passive mode connection. (This is the ftp-data port.) The client will then initiate a new connection to the server using the new ftp-data port as a destination. (The client will, of course, have a source port in the ephemeral range.) I'm pretty sure the server does not consider the client's passive mode connection to be a related connection.
|
Why don't you use the iptable module ftp_conntrack ?
This is the only solution for securing the (unsecure) ftp. It dynamically open 1 port for 1 address (while you statically open all port for all address) For general ftp understanding look precisly at this: http://slacksite.com/other/ftp.html |
Srry a little offtopic but for a secure solution why don't u switch to Chrooted SSH's SecureFTP + Denyhosts!
http://chrootssh.sourceforge.net/index.php + http://denyhosts.sourceforge.net/ You will have no trouble at all with SFTP and Iptables since you have to deal with only one port default "22" :) The client commands in Linux for SSH are Scp ,sftp and ssh. "man" for help on these commands. FTP is a b@st@r*izing protocol :mad: If you use Windows as clients then you can well use some superb clients like Winscp winscp.net/eng/index.php or Putty's command line Pftp: http://www.chiark.greenend.org.uk/~s.../download.html |
Hi there,
I used the following guide when I configured my iptables rules: http://xinux.de/docs/sicherheit/fire...conntrack.html As I understood, I' am already using ftp_conntrack. That is what the state RELATED means. It is using the ftp_conntrack module for ftp connection tracking. In other words it takes the FTP data-port (taken from the PORT command issued by the server) and considers the connections to this port as RELATED to the original control-tcp/21 connection. (from the server point of view, when the client connects to the server) I am right? If I am not right, there is also still a problem. On the server there are cca. 200 accounts. When the firewall is started only a few of them can't connect. The others connect both passive and active. When the firewall is stopped all clients could connect. If you have any other idea, I would appreciate any help. Thanks |
Quote:
Quote:
The only thing I could suggest you independently of your rules is to plug ethereal and ask one of your non-working client to connect. Ask them to connect with login/pass and issue a dir/ls (with IE or GUI client, the ls is automatic). Its enough to debug. Tell them to disconnect then Record all their traffic. Could be a NAT/Firewall issue on their side. You can post the few lines after having changed the IP address (ip adresses in tcp segments and ip adresses in PORT and PASV FTP commands!!), I'll try to help you. |
Quote:
From the server side here is the sniffed traffic: Quote:
The logs from fure-ftp in debugging mode: Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [INFO] New connection from X.X.224.58 Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220---------- Welcome to Pure-FTPd [TLS] ---------- Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-You are user number 2 of 50 allowed. Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-Local time is now 18:09. Server port: 21. Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-This is a private system - No anonymous login Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-IPv6 connections are also welcome on this server. Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220 You will be disconnected after 15 minutes of inactivity. Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] Command [user] [useruser] Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 331 User useruser OK. Password required Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] Command [pass] [<*>] Mar 23 18:09:08 host1 pure-ftpd: (?@X.X.224.58) [INFO] useruser is now logged in Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 230-User useruser has group access to: useruser Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 230 OK. Current restricted directory is / Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [pwd] [] Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 257 "/" is your current location Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [type] [A] Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 200 TYPE is now ASCII Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [cwd] [/] Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 250 OK. Current directory is / Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [pasv] [] Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 227 Entering Passive Mode (Y,Y,112,116,22,157) Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command[list] [-al] What is annoying me is that when the firewall is stopped all clients can connect. When it is started most of them can connect, but not all. That means that the problem is a server-side problem or a combination. Thanks a lot for your help. I really don't know what else to do... |
I look at it now, I would have prefered 2 or 3 lines with the contents of the packet. Nevermind
Meanwhile, in iptables you can log which drop/reject rule is hit? so you should be able to see which rule blocks a packet? Do you also load a NAT/masquerade ip_tables module? which if wrong would translate an IP (in tcp headers or in ftp data) to a wrong IP. |
Code:
HANDSHAKE Are there passive transfers working? What client is it? Seems to be a windows, IE? Can you ask the person to use another client to be sure ? It seems to me that (in italic) the client is not even waiting for the acknowledge of the server before trying to connect. So maybe the ftp_conntrack has not yet opened the port. Still where I've put "this should pass", the server/ftp_conntrack has now opened the port and afaik it should pass (unless you block someone aggressively port scanning a closed port) Not so clear :) |
thanks for your analyze. It was very clear and documented.
I understand that the firewall is not opening the right port or something like this. So server-side problem... What I don’t understand is why some clients can connect and the others can't. The server-conditions are the same… The server(iptables & pure-ftp) can't act different based on the client which try to connect. This is really weird... Quote:
I really don’t find the explanation for this. My next step is to log the dropped packets from iptables.. Thanks again |
Quote:
|
All times are GMT -5. The time now is 05:02 PM. |