Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
07-19-2004, 09:46 AM
|
#1
|
|
Member
Registered: Jul 2004
Distribution: RHEL 6.2
Posts: 35
Rep: 
|
ip_conntrack_ftp and ip_nat_ftp
Hello everyone,
I'm using Fedora Core 1, and I'm trying to use ip_conntrack_ftp and ip_nat_ftp without success.
Here's an excerpt of the firewall script I'm using:
========== BEGIN
INT=eth0
DMZ=eth1
FTPSERVER=192.168.0.4
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
iptables -A FORWARD -p tcp -i $DMZ -o $INT --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i $INT -o $DMZ --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i $INT -o $DMZ -s 0/0 -d $FTPSERVER --syn --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $INT -d $VALID_IP --dport 21 -j DNAT --to-destination $FTPSERVER
========== END
When someone tries to connect to the FTP server using active mode, I get:
kernel: FORWARD blocked: IN=eth1 OUT=eth0 SRC=192.168.0.4 DST=(valid ip) (...) PROTO=TCP SPT=20 DPT=50918 WINDOW=65535 RES=0x00 SYN URGP=0
What am I doing wrong?
Thanks,
Carlos Pastorino
|
|
|
|
|
07-19-2004, 02:41 PM
|
#2
|
|
Member
Registered: Sep 2002
Location: lahore pakistan
Distribution: slackware,redhat, FreeBSD,openbsd
Posts: 219
Rep:
|
modify first rule and add a NEW
iptables -A FORWARD -p tcp -i $DMZ -o $INT --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
then tell if it works or not
|
|
|
|
|
07-19-2004, 05:55 PM
|
#3
|
|
Member
Registered: Jul 2004
Distribution: RHEL 6.2
Posts: 35
Original Poster
Rep:
|
Yes, it does work. But the point is: it should work without the NEW state, as reported in this document:
http://www.sns.ias.edu/~jns/security...conntrack.html
Here's an excerpt:
"Enter the ip_conntrack_ftp module. This module is able to recognize the PORT command and pick-out the port number. As such, the ftp-data connection can be classified as RELATED to the original outgoing connection to port 21 so we don't need NEW as a state match for the connection in the INPUT chain. The following rules will serve our purposes grandly:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT "
Thanks,
Carlos Pastorino |
|
|
|
|
07-19-2004, 06:03 PM
|
#4
|
|
Member
Registered: Sep 2002
Location: lahore pakistan
Distribution: slackware,redhat, FreeBSD,openbsd
Posts: 219
Rep:
|
as far as my little knowledge says
the server first sends the syn packet (src port 20) to establish the connection.
so state NEW is needed.
may be i am wrong.
check through tcpdump and tell.
|
|
|
|
|
08-15-2004, 11:25 PM
|
#5
|
|
LQ Newbie
Registered: May 2004
Posts: 4
Rep: 
|
I do agree with, Pastorino, I tried such configuration before. Here is the script:
Code:
#!/bin/bash
# IPTABELES Configuration Script
# iptables.conf.sh
#
# Create: March 27th 2004 - by ****
# Modify:
# not yet
#Interfaces
IF0='192.168.0.67'
IF1='192.168.10.67'
#LAN's
LAN0='192.168.0.0/24'
LAN1='192.168.10.0/24'
#Others
INFRA='192.168.0.12'
CONTROLLER='192.168.0.30'
ISA_SERVER='192.168.0.12'
###############################################
#Flush all the tables
service iptables stop
#iptables -F OUTPUT
#iptables -F FORWARD
#iptables -F INPUT
#allow everything go through
iptables -P INPUT DROP
iptables -P OUTPUT DROP
#suite 1 //not enough
#iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -t filter -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
#suite 2 //works for passive and active data connection
#iptables -t filter -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -t filter -A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
#suite 3 //incorrect
#iptables -t filter -A INPUT -i eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 21 -j ACCEPT
#suite 4 //just works for active data connections
#iptables -t filter -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -t filter -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
#iptables -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
#suite 5 //just works for passive data connections
iptables -t filter -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
###############################################################
#finally save eveything
#iptables-save
I tested this script with kernel 2.4(Redhat Shrike).
But about loading modules, I think some considerations should be applied that I do not know much about it.
Last edited by radien; 08-15-2004 at 11:41 PM.
|
|
|
|
|
08-24-2004, 10:57 AM
|
#6
|
|
LQ Newbie
Registered: Aug 2004
Posts: 1
Rep:
|
Just a wild stab in the dark for you.
It looks like you are using modprobe before your first iptables command. Could it be that by this stage you do not have the required "parents" for these modules? my lsmod looks like -
ip_nat_ftp 3056 0 (unused)
ip_conntrack_ftp 3456 0 (unused)
ipt_LOG 3320 1 (autoclean)
ipt_REJECT 2712 1 (autoclean)
ipt_state 568 2 (autoclean)
iptable_filter 1644 1 (autoclean)
ipt_MASQUERADE 1240 1 (autoclean)
iptable_nat 13688 2 (autoclean) [ip_nat_ftp ipt_MASQUERADE]
ip_conntrack 14140 3 (autoclean) [ip_nat_ftp ip_conntrack_ftp ipt_state ipt_MASQUERADE iptable_nat]
ip_tables 11576 8 [ipt_LOG ipt_REJECT ipt_state iptable_filter ipt_MASQUERADE iptable_nat]
if you are using kernel module autoloader then running iptables will add most of these automatically.
Then again modprobe i think is supposed to load all of its children, but i use insmod after i have loaded my rules and mine works... and yes i use the rule
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
may well allow some insecurities but really cuts down the latency of traversing the ruleset and any clients on the inside can access remote FTP servers with active FTP.
Oh by the way... you are looking in the right direction arn't you (i think by your rules and the error message that came back you are)? FTP connection usually tracking needs to be done on the CLIENTS firewall, not the firewall protecting the server (ok in your case the same thing i think), as the firewall protecting the server will usually be configured to allow traffic back out with little or no restrictions.
|
|
|
|
All times are GMT -5. The time now is 07:21 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
