LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 05-29-2002, 09:40 PM   #1
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
IPTABLES rules for active FTP


After much research and debugging, I finally have my firewall almost up and running. The one thing I am lacking at this point is proper functionality of the FTP service. When I ftp to the server, the connection (eventually) logs in, but it never recieves a proper file list from the server. I am using active FTP because that is what I need to get "around" my router-in-a-box. I have found the following rules from LinuxGuruz that are supposed to allow active ftp:

iptables -A INPUT -i eth0 -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --dport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT

From what I have read, the first rule allows for new connection and data traffic on port 21. The second allows for traffic outbound from port 21. The third and fourth allow for connection related traffic on port 20. Policies for INPUt and OUTPUT chains are DROP. When the policy is changed to ACCEPT, the connections work fine but obviously, that does me little good. Tips/Thoughts are appreciated.
 
Old 05-30-2002, 12:34 AM   #2
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
you have to do
iptables -A INPUT -p tcp --dport ftp -j ACCEPT
iptables -A INPUT -p tcp --dport ftp-data -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

i think
 
Old 09-10-2004, 02:35 AM   #3
heby
LQ Newbie
 
Registered: Sep 2004
Location: Ottawa, ON, Canada
Distribution: debian
Posts: 12

Rep: Reputation: 1
NEVER use these rules

just look at them:

iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

all connections from source port 20 or 21 are accepted, no matter where they go. obviously, an attacker that has full control over the computer which he uses to attack you could choose to start his attack from one of these ports - your system is totally open to these attacks.

modprobe ip_conntrack_ftp
iptables -A INPUT -m helper --helper ftp -j ACCEPT

is the correct way to deal with active ftp.

heby
 
Old 09-28-2004, 07:31 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Code:
/sbin/modprobe ip_conntrack_ftp

iptables -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT

iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p ALL -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 09-29-2004, 09:06 PM   #5
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Original Poster
Rep: Reputation: 30
Re: NEVER use these rules

Quote:
Originally posted by heby
just look at them:

iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

all connections from source port 20 or 21 are accepted, no matter where they go. obviously, an attacker that has full control over the computer which he uses to attack you could choose to start his attack from one of these ports - your system is totally open to these attacks.

modprobe ip_conntrack_ftp
iptables -A INPUT -m helper --helper ftp -j ACCEPT

is the correct way to deal with active ftp.

heby
Sheesh... he registers to respond to a post that is over two years old???
 
Old 01-25-2006, 10:08 AM   #6
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 4,171

Rep: Reputation: 506Reputation: 506Reputation: 506Reputation: 506Reputation: 506Reputation: 506
That's the real Linux spirit!

jlinkels
 
Old 04-22-2009, 01:34 PM   #7
mbshafer
LQ Newbie
 
Registered: Apr 2009
Posts: 1

Rep: Reputation: 0
[QUOTE=TruckStuff;1205747]Sheesh... he registers to respond to a post that is over two years old???

Why not!

And somebody five years later finds an answer they're searching for!

Cheers!
 
Old 04-22-2009, 06:21 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
mbshafer, thread resurrection isn't something we like to see happen here at LQ.

Please don't make a habit out of it. Closed.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables masquerading & active ftp connections PowerMatt Linux - Networking 2 10-20-2005 05:02 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables, nmap and active ftp connections Bug Linux - Security 3 06-14-2004 01:14 PM
simple rules iptables ftp and pop/smtp steve_babbage Linux - Security 9 12-04-2003 06:14 PM
Another iptables Active FTP Issue tnolte Linux - Networking 4 09-28-2003 11:34 AM


All times are GMT -5. The time now is 07:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration