Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Starting new threads for new topics is preferred. Just make sure you search the topic first or it frustrates the regulars (me included, sorry, I have no patience) Anyway, good luck with your research and let me/us know if you have more questions.
Originally posted by JordanH You are both likely experiencing problems with active mode (standard mode) ftp. Keep in mind that when using active mode transfers the SERVER initiates the data connection while you only initiate the command connection.
Try switching to passive mode.
Let's say that the server will only allow active sessions, is it possible to have the remote connect to a box in the network behind the firewall? I ask this because I have recently connected to a box that will not allow pasv connections and so I am able to send commands but not accept data.
If you allow established/related connections, then it should work, no?
the ip_conntrack_ftp module rings a bell in my head... what are your results from the command:
/sbin/modprobe ip_conntrack_ftp
The Kludge of a fix is this...
temporarily DNAT external, incoming port 20 connections to your internal client ip address. Kludge kludge kludge but it should work.
Thanks for the reply JordanH, I've been a little busy at work but I'll get back to you with the reply for that conntrack_ftp modprobe on the weekend. Pasv connections work just fine as would be expected, I initiate the connections. Actually I'm only using the VERY simple masquerade ruleset that is listed in the masquerading made simple how to. I'd like to setup a slightly more secure rule set and I have been looking at the example ruleset for n00bs that you posted sometime ago. I'm still having trouble making it stick from reboot to reboot. I'll have to do a little more research (read:search command) regarding this. I don't want to waste your time.
I wonder if I open up 1027? Do all active data transfers come down on 1027? What if one is using a multi-threaded ftp client?
Until next time, thanks a lot.
Last edited by steepcreep; 01-14-2004 at 12:03 AM.
Hey. I've been away on a conference but now have a bit more time to respond.
"Making it stick" is as simple as including the firewall script in your startup scripts. I'll give you an example of a simple way to do it in RedHat:
1. Save the script as /etc/init.d/firewall.sh
2. ln -s /etc/init.d/firewall.sh /etc/rc.d/rc3.d/S15firewall
3. ln -s /etc/init.d/firewall.sh /etc/rc.d/rc5.d/S15firewall
Voila, your firewall will startup whenever running in text mode or graphical login mode (run level 3 and 5 respectively).
I'm not sure if I understand your question about port 1024 but I'm pretty sure the answer is no. ;-) Any ports higher than 1024 are allocated dynamically so it is likely a different port every time.
Originally posted by JordanH
[B]
# Allow new connections to these TCP ports
for port_ok in $ok_ext_tcp_ports
do
$ipt -A IN_FIREWALL -p tcp -m state --state NEW -j ACCEPT
done
# Allow new connections to these UDP ports
for port_ok in $ok_ext_udp_ports
do
$ipt -A IN_FIREWALL -p udp -m state --state NEW -j ACCEPT
done
I'm trying to do my first iptables script and came across this thread, it's been a great help but is the quoted script right? it's not using port_ok anyware, shouldn't it be like:
for port_ok in $ok_ext_tcp_ports
do
$ipt -A IN_FIREWALL -p tcp -dport $port_ok -m state --state NEW -j ACCEPT
done
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.