Hello

I want to have a firewall on my server, thats why i mad a iptables script. It seems that everything runs fine, except FTP. When i want to connect to my server via FTP after applying the iptables rules, this happens:

Status: Resolving address of www.domain.ch
Status: Connecting to 123.123.123.123:21...
Status: Connection established, waiting for welcome message...
Response: 220 FTP Server Ready
Command: USER simon@domain.ch
Response: 331 Password required for simon@domain.ch.
Command: PASS ******
Response: 230 User simon@domain.ch logged in.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (123,123,123,123,153,158).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

my iptables look like this:

[...]

# FTP out (active & passive)
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

# FTP in (active & passive)
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT

[...]


what else is needed?

thanks, simon

You have the FTP connection tracking module loaded? Check with:Load it with:

Hello, the problem was: the client was not able to change the port, because NEW was missing in two rules:

# FTP out (active & passive)
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# FTP in (active & passive)
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT


Everithing fine now thank you

Even though these rules work, they are at best totally unnecessary, and at worst completely insane. Why are you going through all this trouble? For FTP (regardless of whether it is passive or active) you don't need to make rules for packets in state NEW to ports other than 21. Everything else will be picked-up by the FTP connection tracking. With the rules you currently have you might as well just disable the firewall completely as you are allowing all packets to enter and exit, with the only requirement being that they have a high destination port. This kind of stuff should be unheard of today (it was the norm WAY back in the ipchains days). You really should get rid of all those dangerous rules.

This example provides the bare essentials needed to serve FTP (both active and passive):Notice how there is no need to match state NEW in the OUTPUT chain.

Heh, looks way better, but it doesn't work for me, same problem as before.

My server says this:

Nov 14 09:36:00 server kernel: IN=eth0 OUT= MAC=00:19:db:f9:74:59:00:02:85:18:ac:a0:08:00 SRC=131.152.195.21 DST=123.123.123.123 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=60470 DF PROTO=TCP SPT=46228 DPT=44227 WINDOW=5840 RES=0x00 SYN URGP=0

But i have the RELATED,ESTABLISHED rule!?!

See post #2.