Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-13-2011, 09:29 AM
|
#1
|
LQ Newbie
Registered: Jul 2011
Posts: 5
Rep:
|
FTP publishing, need help configuring iptables in passive mode in non-standard port
Hi,
I'm using CentOS 5.3 (2.6.18-i686 i386 128.el5) and am trying to publish FTP in passive mode with iptables.
My iptables is my gateway to access the Internet (NAT).
So, here is my scenario:
- Iptables has 2 networks cards (1 internal network and 1 external network)
- FTP Server has 1 network card (1 internal network and listens on 2122)
I used some rules in iptables to work, but nothing I did gave the expected result (perhaps have done something wrong, not sure).
I also tried 2 things:
- Load the modules and ip_conntrack_ftp ip_nat_ftp, but they only work on the default port (21).
- Make a script for iptables and try load modules as follows /sbin/modprobe ip_conntrack_ftp ports=21,2122 and /sbin/modprobe ip_nat_ftp ports=21,2122 but nothing happened.
Thanks in advance!
vdeschamps.
|
|
|
07-15-2011, 05:32 AM
|
#2
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
See the following link: http://www.cyberciti.biz/faq/iptable...s-not-working/
According to the article, you will need to open the control ports, 20 and 21. You will also need to use connection tracking. The article is a little dated, written around the time of the 2.4 kernel and talks about adding the conntrack modules. You probably don't need to do this as it should be present in a more modern kernel.
One of the key things is that you will need passive ports, which occur on high port numbers. In the article, the port 1024 was chosen. You will need to configure this in your FTP configuration to match your iptables rules. Normally, a wide port range is chosen and you can either open up a larger port range and / or restrict it to one or a few ports.
|
|
|
07-15-2011, 07:45 AM
|
#3
|
LQ Newbie
Registered: Jul 2011
Posts: 5
Original Poster
Rep:
|
Hi Noway2,
I have already seen this site and inserted this rules on my iptables, but didn't work.
Maybe I am doing something wrong. Could you help me at this?
Thanks in advance.
Code:
# Generated by iptables-save v1.3.5 on Fri Jul 15 08:42:43 2011
*nat
:PREROUTING ACCEPT [20343:1823451]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [5824:396523]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.248
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 20 -j DNAT --to-destination 192.168.1.248
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.248
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.1.248
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.244
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 2122 -j DNAT --to-destination 192.168.1.121
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.121
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.122
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.252
-A PREROUTING -d mypublic3.ip -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.248
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Fri Jul 15 08:42:43 2011
# Generated by iptables-save v1.3.5 on Fri Jul 15 08:42:43 2011
*mangle
:PREROUTING ACCEPT [554311:391505335]
:INPUT ACCEPT [315298:251104353]
:FORWARD ACCEPT [238130:140199786]
:OUTPUT ACCEPT [360385:230514122]
:POSTROUTING ACCEPT [597144:370612280]
COMMIT
# Completed on Fri Jul 15 08:42:43 2011
# Generated by iptables-save v1.3.5 on Fri Jul 15 08:42:43 2011
*filter
:INPUT DROP [6017:593952]
:FORWARD DROP [492:20997]
:OUTPUT DROP [754:32884]
:SCANNER - [0:0]
:TRINOO - [0:0]
:TROJAN - [0:0]
-A INPUT -i ! eth0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 27444 -j TRINOO
-A INPUT -i eth0 -p tcp -m tcp --dport 27665 -j TRINOO
-A INPUT -i eth0 -p tcp -m tcp --dport 31335 -j TRINOO
-A INPUT -i eth0 -p tcp -m tcp --dport 34555 -j TRINOO
-A INPUT -i eth0 -p tcp -m tcp --dport 35555 -j TRINOO
-A INPUT -i eth0 -p tcp -m tcp --dport 666 -j TROJAN
-A INPUT -i eth0 -p tcp -m tcp --dport 666 -j TROJAN
-A INPUT -i eth0 -p tcp -m tcp --dport 4000 -j TROJAN
-A INPUT -i eth0 -p tcp -m tcp --dport 6000 -j TROJAN
-A INPUT -i eth0 -p tcp -m tcp --dport 6006 -j TROJAN
-A INPUT -i eth0 -p tcp -m tcp --dport 16660 -j TROJAN
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j SCANNER
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j SCANNER
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j SCANNER
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j SCANNER
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j SCANNER
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j SCANNER
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j SCANNER
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j LOG --log-prefix "FIREWALL: ftp: "
-A INPUT -i eth0 -p tcp -m tcp --dport 23 -j LOG --log-prefix "FIREWALL: telnet: "
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j LOG --log-prefix "FIREWALL: smtp: "
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j LOG --log-prefix "FIREWALL: http: "
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j LOG --log-prefix "FIREWALL: pop3: "
-A INPUT -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix "FIREWALL: rpc: "
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j LOG --log-prefix "FIREWALL: identd: "
-A INPUT -i eth0 -p tcp -m tcp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba: "
-A INPUT -i eth0 -p udp -m udp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba: "
-A INPUT -i eth0 -p tcp -m tcp --dport 161:162 -j LOG --log-prefix "FIREWALL: snmp: "
-A INPUT -i eth0 -p tcp -m tcp --dport 3128 -j LOG --log-prefix "FIREWALL: squid: "
-A INPUT -i eth0 -p tcp -m tcp --dport 8081 -j LOG --log-prefix "FIREWALL: sistema_interno: "
-A INPUT -i eth0 -p tcp -m tcp --dport 3389 -j LOG --log-prefix "FIREWALL: Terminal: "
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j LOG --log-prefix "FIREWALL: Imap: "
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j LOG --log-prefix "FIREWALL: https: "
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2122 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3390 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2200 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3456 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3456 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "FIREWALL: NEW sem syn: "
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 135 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -d 192.168.1.160 -i eth0 -p tcp -m tcp --dport 8888 -j ACCEPT
-A FORWARD -d 192.168.1.160 -i eth0 -p tcp -m tcp --dport 1337 -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A SCANNER -m limit --limit 15/min -j LOG --log-prefix "FIREWALL: port scanner: "
-A SCANNER -j DROP
-A TRINOO -m limit --limit 15/min -j LOG --log-prefix "FIREWALL: trinoo: "
-A TRINOO -j DROP
-A TROJAN -m limit --limit 15/min -j LOG --log-prefix "FIREWALL: trojan: "
-A TROJAN -j DROP
COMMIT
# Completed on Fri Jul 15 08:42:43 2011
|
|
|
07-15-2011, 09:10 AM
|
#4
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
Two things:
1 - Did you configure the passive port range in your FTP configuration, and is this reflected in your firewall rules (your 2nd post doesn't answer this)?
2 - Iptables rules work as a waterfall. Once a match is made, the rest of the rules are short circuited and the remaining rules are not even evaluated. you have rules for logging port 21 above rules for accepting connections on port 21. I can't say for certain if this will cause issues, but you should verify whether or not these ports are truly open in your firewall and connections can be made.
|
|
|
07-15-2011, 09:51 AM
|
#5
|
LQ Newbie
Registered: Jul 2011
Posts: 5
Original Poster
Rep:
|
After you told me I noticed that rules was missing. So I added those rules:
Code:
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2122 -j LOG --log-prefix "FIREWALL: ftp: "
I posted what is display after run iptables-save, I don't know if this is the order of my rules, because when I run iptables -L -n the rules doesn't apperar at the same order.
Should I configure it again, to the right order?
Note: When I change my FTP Server to listen on 21 port, the passive mode worked fine. But when listen on 2122 port stop work as passive.
Thanks in advance.
|
|
|
07-20-2011, 07:41 AM
|
#7
|
LQ Newbie
Registered: Jul 2011
Posts: 5
Original Poster
Rep:
|
I don't know about your server, but in my /etc/sysconfig/iptables-config only has options for loading modules (as ip_nat_ftp, ip_conntrack_ftp, etc.) and other options to save after reboot and so on.
When I run iptables-save > firewall.txt, I view the way the file I posted here, but when ran iptables -L -n it show in the order that you said should be. The strange thing ist that the iptables file is in the same order of iptables -L -n and don't know if there is a reason the iptables-save showing in the "wrong" way and also if this sequence is that it is using to compare the rules.
I've tried many ways and I can't leave them in the correct order.
I make some tests in iptables, but nothing happen with passive on non-standard ports.
Any suggestions?
Thanks in advance.
vdeschamps
|
|
|
07-20-2011, 08:37 PM
|
#8
|
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,415
|
OK; let me expand/clarify a bit.
Section 27.1.16 here http://www.linuxtopia.org/online_boo...onfig-iptables says
Quote:
Rules can also be created manually using the /sbin/iptables command. Once created, add the rule(s) to the /etc/sysconfig/iptables file by typing the following command:
/sbin/service iptables save
Once this file exists, any firewall rules saved in it persists through a system reboot or a service restart.
|
Note that the cmd there is very different to "iptables-save > $random_file.txt".
I would only use the latter to keep a backup in case I screw it up, although usually I just copy /etc/sysconfig/iptables itself.
The /etc/sysconfig/iptables file is the one read at system start or '/sbin/service iptables restart'.
Maybe this explains the differences you are seeing.
The 2nd link I gave then goes into iptables on RHEL/Centos in depth.
HTH
Last edited by chrism01; 07-20-2011 at 08:39 PM.
|
|
|
07-29-2011, 03:44 PM
|
#9
|
LQ Newbie
Registered: Jul 2011
Posts: 5
Original Poster
Rep:
|
Hi,
My ftp server is FileZilla running on Windows Server 2008, so I made change on his configuration as follow:
- Use the following IP (put my external ip)
- Uncheck the option Don’t use external IP for local connections
Then I went to iptables and add the follow rules:
iptables -t nat -A PREROUTING -d my.ext.nal.ip -p tcp --dport 2122 -j DNAT --to-destination 192.168.1.121:2122
iptables -t nat -A PREROUTING -d my.ext.nal.ip -p tcp --dport 1024:65535 -j DNAT --to-destination 192.168.1.121:1024-65535
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.121 --sport 1024:65535 -j SNAT --to my.ext.nal.ip:1024-65535
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.121 --sport 2122 -j SNAT --to my.ext.nal.ip:2122
And it works!
I'm trying to figure out why not work with the default options of FileZilla.
When I try to connect with these active options and the iptables rules (described above) it does not connect and shows me the following text "Entering Passive Mode (192,168,1,122, number, number)". 192.168.1.122 is the ip of my internal FTP server.
I do not know if it is clear.
Thanks advance.
vdeschamps
|
|
|
07-30-2011, 04:11 AM
|
#10
|
Senior Member
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144
|
This needs a closer look at your FTP server configuration, assuming you're using VSFTPD, you need in your config:
/etc/vsftpd/vsftpd.conf
Vsftpd Server With Passive Mode Port Range
you can also take a look at the configuration options for vsftpd here
Then , If you can expose your server, then stop Iptables, try FTPzilla to connect and see if Passive mode works, after that configure IPTABLES to work properly.
|
|
|
All times are GMT -5. The time now is 08:24 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|