LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-13-2011, 09:29 AM   #1
vdeschamps
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Rep: Reputation: Disabled
Question FTP publishing, need help configuring iptables in passive mode in non-standard port


Hi,

I'm using CentOS 5.3 (2.6.18-i686 i386 128.el5) and am trying to publish FTP in passive mode with iptables.
My iptables is my gateway to access the Internet (NAT).

So, here is my scenario:

- Iptables has 2 networks cards (1 internal network and 1 external network)
- FTP Server has 1 network card (1 internal network and listens on 2122)

I used some rules in iptables to work, but nothing I did gave the expected result (perhaps have done something wrong, not sure).
I also tried 2 things:
- Load the modules and ip_conntrack_ftp ip_nat_ftp, but they only work on the default port (21).
- Make a script for iptables and try load modules as follows /sbin/modprobe ip_conntrack_ftp ports=21,2122 and /sbin/modprobe ip_nat_ftp ports=21,2122 but nothing happened.

Thanks in advance!

vdeschamps.
 
Old 07-15-2011, 05:32 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
See the following link: http://www.cyberciti.biz/faq/iptable...s-not-working/

According to the article, you will need to open the control ports, 20 and 21. You will also need to use connection tracking. The article is a little dated, written around the time of the 2.4 kernel and talks about adding the conntrack modules. You probably don't need to do this as it should be present in a more modern kernel.

One of the key things is that you will need passive ports, which occur on high port numbers. In the article, the port 1024 was chosen. You will need to configure this in your FTP configuration to match your iptables rules. Normally, a wide port range is chosen and you can either open up a larger port range and / or restrict it to one or a few ports.
 
Old 07-15-2011, 07:45 AM   #3
vdeschamps
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Hi Noway2,

I have already seen this site and inserted this rules on my iptables, but didn't work.
Maybe I am doing something wrong. Could you help me at this?

Thanks in advance.

Code:
# Generated by iptables-save v1.3.5 on Fri Jul 15 08:42:43 2011
*nat
:PREROUTING ACCEPT [20343:1823451]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [5824:396523]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.248 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 20 -j DNAT --to-destination 192.168.1.248 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.248 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.1.248 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.244 
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 2122 -j DNAT --to-destination 192.168.1.121 
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.121 
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.122 
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic2.ip -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic.ip -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.252 
-A PREROUTING -d mypublic3.ip -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.248 
-A POSTROUTING -j MASQUERADE 
COMMIT
# Completed on Fri Jul 15 08:42:43 2011
# Generated by iptables-save v1.3.5 on Fri Jul 15 08:42:43 2011
*mangle
:PREROUTING ACCEPT [554311:391505335]
:INPUT ACCEPT [315298:251104353]
:FORWARD ACCEPT [238130:140199786]
:OUTPUT ACCEPT [360385:230514122]
:POSTROUTING ACCEPT [597144:370612280]
COMMIT
# Completed on Fri Jul 15 08:42:43 2011
# Generated by iptables-save v1.3.5 on Fri Jul 15 08:42:43 2011
*filter
:INPUT DROP [6017:593952]
:FORWARD DROP [492:20997]
:OUTPUT DROP [754:32884]
:SCANNER - [0:0]
:TRINOO - [0:0]
:TROJAN - [0:0]
-A INPUT -i ! eth0 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 27444 -j TRINOO 
-A INPUT -i eth0 -p tcp -m tcp --dport 27665 -j TRINOO 
-A INPUT -i eth0 -p tcp -m tcp --dport 31335 -j TRINOO 
-A INPUT -i eth0 -p tcp -m tcp --dport 34555 -j TRINOO 
-A INPUT -i eth0 -p tcp -m tcp --dport 35555 -j TRINOO 
-A INPUT -i eth0 -p tcp -m tcp --dport 666 -j TROJAN 
-A INPUT -i eth0 -p tcp -m tcp --dport 666 -j TROJAN 
-A INPUT -i eth0 -p tcp -m tcp --dport 4000 -j TROJAN 
-A INPUT -i eth0 -p tcp -m tcp --dport 6000 -j TROJAN 
-A INPUT -i eth0 -p tcp -m tcp --dport 6006 -j TROJAN 
-A INPUT -i eth0 -p tcp -m tcp --dport 16660 -j TROJAN 
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j SCANNER 
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j SCANNER 
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j SCANNER 
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j SCANNER 
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j SCANNER 
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j SCANNER 
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j SCANNER 
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j LOG --log-prefix "FIREWALL: ftp: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 23 -j LOG --log-prefix "FIREWALL: telnet: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j LOG --log-prefix "FIREWALL: smtp: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j LOG --log-prefix "FIREWALL: http: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j LOG --log-prefix "FIREWALL: pop3: " 
-A INPUT -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix "FIREWALL: rpc: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j LOG --log-prefix "FIREWALL: identd: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba: " 
-A INPUT -i eth0 -p udp -m udp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 161:162 -j LOG --log-prefix "FIREWALL: snmp: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 3128 -j LOG --log-prefix "FIREWALL: squid: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 8081 -j LOG --log-prefix "FIREWALL: sistema_interno: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 3389 -j LOG --log-prefix "FIREWALL: Terminal: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j LOG --log-prefix "FIREWALL: Imap: " 
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j LOG --log-prefix "FIREWALL: https: " 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 2122 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 3390 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 2200 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 3456 -j ACCEPT 
-A INPUT -i eth1 -p tcp -m tcp --dport 3456 -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT 
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "FIREWALL: NEW sem syn: " 
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 135 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT 
-A FORWARD -d 192.168.1.160 -i eth0 -p tcp -m tcp --dport 8888 -j ACCEPT 
-A FORWARD -d 192.168.1.160 -i eth0 -p tcp -m tcp --dport 1337 -j ACCEPT 
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A SCANNER -m limit --limit 15/min -j LOG --log-prefix "FIREWALL: port scanner: " 
-A SCANNER -j DROP 
-A TRINOO -m limit --limit 15/min -j LOG --log-prefix "FIREWALL: trinoo: " 
-A TRINOO -j DROP 
-A TROJAN -m limit --limit 15/min -j LOG --log-prefix "FIREWALL: trojan: " 
-A TROJAN -j DROP 
COMMIT
# Completed on Fri Jul 15 08:42:43 2011
 
Old 07-15-2011, 09:10 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Two things:

1 - Did you configure the passive port range in your FTP configuration, and is this reflected in your firewall rules (your 2nd post doesn't answer this)?

2 - Iptables rules work as a waterfall. Once a match is made, the rest of the rules are short circuited and the remaining rules are not even evaluated. you have rules for logging port 21 above rules for accepting connections on port 21. I can't say for certain if this will cause issues, but you should verify whether or not these ports are truly open in your firewall and connections can be made.
 
Old 07-15-2011, 09:51 AM   #5
vdeschamps
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
After you told me I noticed that rules was missing. So I added those rules:
Code:
-A INPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2122 -j LOG --log-prefix "FIREWALL: ftp: "
I posted what is display after run iptables-save, I don't know if this is the order of my rules, because when I run iptables -L -n the rules doesn't apperar at the same order.
Should I configure it again, to the right order?

Note: When I change my FTP Server to listen on 21 port, the passive mode worked fine. But when listen on 2122 port stop work as passive.

Thanks in advance.
 
Old 07-17-2011, 08:45 PM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,415

Rep: Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785
The actual iptables setting is saved to disk in /etc/sysconfig/iptables-config http://www.linuxtopia.org/online_boo...onfig-iptables http://www.linuxtopia.org/online_boo...-iptables.html.
Try cat'ing that file. As above, iptables program/service reads the file from the top down and stops on the first match, so order is vitally important.
 
Old 07-20-2011, 07:41 AM   #7
vdeschamps
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
I don't know about your server, but in my /etc/sysconfig/iptables-config only has options for loading modules (as ip_nat_ftp, ip_conntrack_ftp, etc.) and other options to save after reboot and so on.
When I run iptables-save > firewall.txt, I view the way the file I posted here, but when ran iptables -L -n it show in the order that you said should be. The strange thing ist that the iptables file is in the same order of iptables -L -n and don't know if there is a reason the iptables-save showing in the "wrong" way and also if this sequence is that it is using to compare the rules.
I've tried many ways and I can't leave them in the correct order.

I make some tests in iptables, but nothing happen with passive on non-standard ports.

Any suggestions?

Thanks in advance.

vdeschamps
 
Old 07-20-2011, 08:37 PM   #8
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,415

Rep: Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785
OK; let me expand/clarify a bit.

Section 27.1.16 here http://www.linuxtopia.org/online_boo...onfig-iptables says
Quote:
Rules can also be created manually using the /sbin/iptables command. Once created, add the rule(s) to the /etc/sysconfig/iptables file by typing the following command:

/sbin/service iptables save

Once this file exists, any firewall rules saved in it persists through a system reboot or a service restart.
Note that the cmd there is very different to "iptables-save > $random_file.txt".
I would only use the latter to keep a backup in case I screw it up, although usually I just copy /etc/sysconfig/iptables itself.

The /etc/sysconfig/iptables file is the one read at system start or '/sbin/service iptables restart'.
Maybe this explains the differences you are seeing.
The 2nd link I gave then goes into iptables on RHEL/Centos in depth.

HTH

Last edited by chrism01; 07-20-2011 at 08:39 PM.
 
Old 07-29-2011, 03:44 PM   #9
vdeschamps
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Hi,

My ftp server is FileZilla running on Windows Server 2008, so I made change on his configuration as follow:
- Use the following IP (put my external ip)
- Uncheck the option Don’t use external IP for local connections

Then I went to iptables and add the follow rules:
iptables -t nat -A PREROUTING -d my.ext.nal.ip -p tcp --dport 2122 -j DNAT --to-destination 192.168.1.121:2122
iptables -t nat -A PREROUTING -d my.ext.nal.ip -p tcp --dport 1024:65535 -j DNAT --to-destination 192.168.1.121:1024-65535
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.121 --sport 1024:65535 -j SNAT --to my.ext.nal.ip:1024-65535
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.121 --sport 2122 -j SNAT --to my.ext.nal.ip:2122

And it works!

I'm trying to figure out why not work with the default options of FileZilla.
When I try to connect with these active options and the iptables rules (described above) it does not connect and shows me the following text "Entering Passive Mode (192,168,1,122, number, number)". 192.168.1.122 is the ip of my internal FTP server.

I do not know if it is clear.

Thanks advance.

vdeschamps
 
Old 07-30-2011, 04:11 AM   #10
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
This needs a closer look at your FTP server configuration, assuming you're using VSFTPD, you need in your config:
/etc/vsftpd/vsftpd.conf
Vsftpd Server With Passive Mode Port Range

you can also take a look at the configuration options for vsftpd here

Then , If you can expose your server, then stop Iptables, try FTPzilla to connect and see if Passive mode works, after that configure IPTABLES to work properly.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp @ MC : could not enter passive mode @ ftp.slackware.com brodo Slackware 3 05-19-2010 04:39 PM
Iptables and FTP when the server is listening on a non-standard port? MheAd Linux - Security 5 11-11-2009 06:16 PM
ftp - active or passive mode kshkid Programming 1 02-15-2008 10:27 PM
Glftpd + Iptables + Passive Mode supreme2k Linux - Networking 10 01-27-2004 08:56 AM
ftp passive mode ? lenlutz Linux - Networking 1 11-05-2003 02:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration