ip_conntrack_ftp: active ftp doesn't work

Pastorino · 07-21-2004, 09:18 AM

Hello everyone,

I'm using Fedora Core 1. I'm trying to use ip_conntrack_ftp and ip_nat_ftp to make active FTP work, but without success.

Here's an excerpt of the firewall script I'm using:

========== BEGIN

INT=eth0
DMZ=eth1
FTPSERVER=192.168.0.4

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

iptables -A FORWARD -p tcp -i $DMZ -o $INT --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i $INT -o $DMZ --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i $INT -o $DMZ -s 0/0 -d $FTPSERVER --syn --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $INT -d $VALID_IP --dport 21 -j DNAT --to-destination $FTPSERVER

========== END

When someone tries to connect to the FTP server using active mode, I get:

kernel: FORWARD blocked: IN=eth1 OUT=eth0 SRC=192.168.0.4 DST=(valid ip) (...) PROTO=TCP SPT=20 DPT=50918 WINDOW=65535 RES=0x00 SYN URGP=0

Does anyone know how to make it work right?

Thanks,

Carlos Pastorino

Pastorino · 07-25-2004, 07:31 PM

By the way, I used Mr. Stephens' document as inspiration:

http://www.sns.ias.edu/~jns/security...track.html#FTP

qwijibow · 07-25-2004, 09:06 PM

you have written rules to allow ESTABLISHED and RELATED packets to the FTP server.... but you seem to have forgotten to allow NEW state packets to the server. could this be the problem ?

Pastorino · 08-11-2004, 08:36 AM

That's the point of my questioning. The documentation I read said that I shouldn't need the NEW status, because that's the whole idea about the ip_conntrack_ftp: to make iptables understand that the NEW 20/tcp IN packet is RELATED to the 21/tcp OUT packet.

It seems then that ip_conntrack_ftp doesn't do what it promises to do. Or does it? And if it does, how to make it work?

Carlos Pastorino

qwijibow · 08-11-2004, 04:09 PM

Quote:

That's the point of my questioning. The documentation I read said that I shouldn't need the NEW status, because that's the whole idea about the ip_conntrack_ftp: to make iptables understand that the NEW 20/tcp IN packet is RELATED to the 21/tcp OUT packet.

this is normally true because all output is allowed.
so then an established or related packet in input, is accepted, because the FIRST packet gets out through the OUTPUT chain.

but you seem to be using the linux machine as a router (whch is why u put rules in FORWARD i assume ?)
because both input and output goes through forward, the first packet does not get through.

you dont seem to understand iptables fully... why not try an automatic firewall rule generator like firestarter.
it will ask you simple questions, and generate very secure rule sets for you.

Pastorino · 08-12-2004, 04:26 PM

Because I want to learn.

qwijibow · 08-13-2004, 05:30 AM

well then... read 'man iptables'
its a long read, but by the end of it, all is simple.

reading the manual should have been the first step if you wanted to learn about the application.