I'm using proftpd and i set in proftpd.conf as passive ports 65520-65535 15 ports.i could set iptables to just accept connections on those 15 ports , but i wouldn't open a hole of 15 ports on the firewall .My question is :can i consider those 15 ports in a state of ESTABLISHED,RELATED or are they in a state of NEW ?Or what would you advice to do ???Thanks !!!!

No, not unless there's a module for iptables that can inspect FTP traffic at layer7 and decode PORT/PASV commands to determine which data channels are related to which command channels.

Also, you need a much bigger port range than 15 ports. Most FTP daemons will bind to a new socket for each data transmission, so a single FTP login can easily use multiple ports for passive connections if the client is doing lots of directory listings or downloads. I'd use a minimum of 100 ports for the passive range.

Hi,

The modules you can use are called ip_conntrack and ip_conntrack_ftp.

If you modprobe these two iptables will track and allow the ports that your ftp client wants to use.

>Craig

As long as you don't encrypt the command channel

I had increase the passive ftp port range in proftpd configuration file with directive PasssivePorts 65500 65535 and in i accept them in iptables just if they are in a state of ESTABLISHED,RELATED .... that's right isn'it ????(all modules are loaded)

Should be it, this is how I start mine on my ftp server...

modprobe iptables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

then my iptables rule for ftp is basically -m multiport --dport 20,21 for both tcp and udp. Then I have the ESTABLISHED,RELATED rule. Works a treat.

>Craig

Yeah that's right i do accept ESTABLISHED,RELATED in the first place as well .... a ftp connection is not going to start up on those unprivileged ports so ....

As long as your server is setup to listen on a certain port and your client attempts to hit that certain port it should be fine. Obviously allowing the initial ports through the firewall.

For example, my ftp server uses the default ports 20 & 21 to do the initial connect, the ftp server then uses the random high ports as it does. My firewall allows ACCEPT's ports 20,21, and ESTABLISHED,RELATED is applied. The modules ip_conntrack and ip_conntrack_ftp allows the firewall to track which random high ports are being used, and 'tracks' it so the firewall doesn't block any traffic that it isn't meant to.

Is this what u mean?

Craig

Sorry, but this is wrong.

Port 21/tcp is the listener on the FTP server that accepts command channel connections. The protocol knows how to multiplex many command sessions on the same port. When a client establishes a connection, they do it solely over the command channel. If they client needs to send or receive data (remember that directory listing output is considered data) then one of two things happens:

1.) FTP client is using Active mode FTP and sends a PORT command to the server. The server than connects back to the client on the client's port 20/tcp and delivers the data. This socket is used for all the other data that is transfered (unless the client requests passive mode).
2.) FTP client is using Passive mode FTP, in which case the server sends a PASV command telling the client what IP and port to connect to. The client then connects to this new IP/port on the server and uses this socket for the current data transfer. Depending on the server implementation this may (not sure if RFCs allow this) reuse the socket, or might send the client a new PASV command for the next input or output.

FTP servers do not need port 20/tcp to be open, and presumably the contrack_ftp module will detect when a client (on your machine) issues a PORT command and automatically allow the inbound connection from the server.