IPTABLES rules for active FTP

TruckStuff · 05-29-2002, 09:40 PM

After much research and debugging, I finally have my firewall almost up and running. The one thing I am lacking at this point is proper functionality of the FTP service. When I ftp to the server, the connection (eventually) logs in, but it never recieves a proper file list from the server. I am using active FTP because that is what I need to get "around" my router-in-a-box. I have found the following rules from LinuxGuruz that are supposed to allow active ftp:

iptables -A INPUT -i eth0 -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --dport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT

From what I have read, the first rule allows for new connection and data traffic on port 21. The second allows for traffic outbound from port 21. The third and fourth allow for connection related traffic on port 20. Policies for INPUt and OUTPUT chains are DROP. When the policy is changed to ACCEPT, the connections work fine but obviously, that does me little good.

Tips/Thoughts are appreciated.

Noerr · 05-30-2002, 12:34 AM

you have to do
iptables -A INPUT -p tcp --dport ftp -j ACCEPT
iptables -A INPUT -p tcp --dport ftp-data -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

i think

heby · 09-10-2004, 02:35 AM

just look at them:

iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

all connections from source port 20 or 21 are accepted, no matter where they go. obviously, an attacker that has full control over the computer which he uses to attack you could choose to start his attack from one of these ports - your system is totally open to these attacks.

modprobe ip_conntrack_ftp
iptables -A INPUT -m helper --helper ftp -j ACCEPT

is the correct way to deal with active ftp.

heby

win32sux · 09-28-2004, 07:31 PM

Code:

/sbin/modprobe ip_conntrack_ftp

iptables -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT

iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p ALL -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

TruckStuff · 09-29-2004, 09:06 PM

Quote:

Originally posted by heby
just look at them:

iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

all connections from source port 20 or 21 are accepted, no matter where they go. obviously, an attacker that has full control over the computer which he uses to attack you could choose to start his attack from one of these ports - your system is totally open to these attacks.

modprobe ip_conntrack_ftp
iptables -A INPUT -m helper --helper ftp -j ACCEPT

is the correct way to deal with active ftp.

heby

Sheesh... he registers to respond to a post that is over two years old???

jlinkels · 01-25-2006, 10:08 AM

That's the real Linux spirit!

jlinkels

mbshafer · 04-22-2009, 01:34 PM

[QUOTE=TruckStuff;1205747]Sheesh... he registers to respond to a post that is over two years old???

Why not!

And somebody five years later finds an answer they're searching for!

Cheers!

win32sux · 04-22-2009, 06:21 PM

mbshafer, thread resurrection isn't something we like to see happen here at LQ.

Please don't make a habit out of it. Closed.