Firewall - iptables - ftp connections

JordanH · 12-08-2003, 10:09 PM

Starting new threads for new topics is preferred. Just make sure you search the topic first or it frustrates the regulars (me included, sorry, I have no patience) Anyway, good luck with your research and let me/us know if you have more questions.

Cheers,
J.

steepcreep · 01-09-2004, 01:17 PM

Quote:

Originally posted by JordanH
You are both likely experiencing problems with active mode (standard mode) ftp. Keep in mind that when using active mode transfers the SERVER initiates the data connection while you only initiate the command connection.

Try switching to passive mode.

Let's say that the server will only allow active sessions, is it possible to have the remote connect to a box in the network behind the firewall? I ask this because I have recently connected to a box that will not allow pasv connections and so I am able to send commands but not accept data.

Thanks for any advice.

JordanH · 01-09-2004, 01:30 PM

If you allow established/related connections, then it should work, no?

the ip_conntrack_ftp module rings a bell in my head... what are your results from the command:
/sbin/modprobe ip_conntrack_ftp

The Kludge of a fix is this...
temporarily DNAT external, incoming port 20 connections to your internal client ip address. Kludge kludge kludge but it should work.

steepcreep · 01-14-2004, 12:01 AM

Thanks for the reply JordanH, I've been a little busy at work but I'll get back to you with the reply for that conntrack_ftp modprobe on the weekend. Pasv connections work just fine as would be expected, I initiate the connections. Actually I'm only using the VERY simple masquerade ruleset that is listed in the masquerading made simple how to. I'd like to setup a slightly more secure rule set and I have been looking at the example ruleset for n00bs that you posted sometime ago. I'm still having trouble making it stick from reboot to reboot. I'll have to do a little more research (read:search command) regarding this. I don't want to waste your time.

I wonder if I open up 1027? Do all active data transfers come down on 1027? What if one is using a multi-threaded ftp client?

Until next time, thanks a lot.

JordanH · 01-18-2004, 10:26 PM

Hey. I've been away on a conference but now have a bit more time to respond.

"Making it stick" is as simple as including the firewall script in your startup scripts. I'll give you an example of a simple way to do it in RedHat:
1. Save the script as /etc/init.d/firewall.sh
2. ln -s /etc/init.d/firewall.sh /etc/rc.d/rc3.d/S15firewall
3. ln -s /etc/init.d/firewall.sh /etc/rc.d/rc5.d/S15firewall

Voila, your firewall will startup whenever running in text mode or graphical login mode (run level 3 and 5 respectively).

I'm not sure if I understand your question about port 1024 but I'm pretty sure the answer is no. ;-) Any ports higher than 1024 are allocated dynamically so it is likely a different port every time.

Cheers. J.

witeshark · 01-23-2004, 12:11 AM

OK from here. isn't a bit less trying to go Mac?

JordanH · 01-23-2004, 07:27 PM

That comment seems out of place. Please > to /dev/null.

luxitan · 01-29-2004, 10:12 AM

Quote:

Originally posted by JordanH
[B]
# Allow new connections to these TCP ports
for port_ok in $ok_ext_tcp_ports
do
$ipt -A IN_FIREWALL -p tcp -m state --state NEW -j ACCEPT
done
# Allow new connections to these UDP ports
for port_ok in $ok_ext_udp_ports
do
$ipt -A IN_FIREWALL -p udp -m state --state NEW -j ACCEPT
done

I'm trying to do my first iptables script and came across this thread, it's been a great help but is the quoted script right? it's not using port_ok anyware, shouldn't it be like:

for port_ok in $ok_ext_tcp_ports
do
$ipt -A IN_FIREWALL -p tcp -dport $port_ok -m state --state NEW -j ACCEPT
done

sorry if i'm completely wrong, i'm new to this