|
iptables and passive FTP behind the nat
after looking for about 3 hours with no solution, i'm asking this question.
I am runnin G6FTPD on port 5150 on WinXP behind Slack 9 and iptables 1.2.7a. Everytime I connect i get this. Connecting to 220.57.120.55 Connected to 220.57.120.55 -> IP220.57.120.22 PORT=5150 220 32nd Street File Server USER user 331 Password required for user. PASS (hidden) 230 User user logged in. SYST 215 UNIX Type: L8 REST 100 350 REST supported. Ready to resume at byte offset 100. REST 0 350 REST supported. Ready to resume at byte offset 0. CWD / 250 CWD command successful. "/" is current directory. PWD 257 "/" is current directory. TYPE A 200 Type set to A. PASV 227 Entering Passive Mode (220,57,120,2219,236). Data Socket Error: Connection timed out List Error QUIT this is the output of iptables -nvL Chain INPUT (policy DROP 8 packets, 224 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 18 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 17 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 10 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 9 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 5 0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0 0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0 8 934 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 332 14109 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 77 7084 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4242 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4665 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4672 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5190 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:5000 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:27900:27930 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5150 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5151 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:65000:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:5151 dpt:5151 state ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 state RELATED,ESTABLISHED 0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 tcp LOG flags 0 level 4 prefix `tcp connection: ' 1 576 LOG udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 udp LOG flags 0 level 4 prefix `udp connection: ' 0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp 1 576 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0 0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0 83 4947 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 108 4624 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:65000:65535 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:4200 8 384 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4672 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4661 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4665 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5151 3 132 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5150 Chain OUTPUT (policy ACCEPT 220 packets, 17758 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:5151 dpt:5151 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state ESTABLISHED and this is the acutal script #!/bin/sh # # generated by ./quicktables-2.3 on 2003.09.09.19 # # set a few variables echo "" echo " setting global variables" echo "" export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin iptables="/usr/sbin/iptables" # adjust /proc echo " applying general security settings to /proc filesystem" echo "" if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi # load some modules if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi # flush any existing chains and set default policies $iptables -F INPUT $iptables -F OUTPUT $iptables -P INPUT DROP $iptables -P OUTPUT ACCEPT # setup nat echo " applying nat rules" echo "" $iptables -F FORWARD $iptables -F -t nat $iptables -P FORWARD DROP $iptables -A FORWARD -i eth1 -j ACCEPT $iptables -A INPUT -i eth1 -j ACCEPT $iptables -A OUTPUT -o eth1 -j ACCEPT $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 220.57.120.22 # allow all packets on the loopback interface $iptables -A INPUT -i lo -j ACCEPT $iptables -A OUTPUT -o lo -j ACCEPT # allow established and related packets back in $iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # blocking reserved private networks incoming from the internet echo " applying incoming internet blocking of reserved private networks" echo "" $iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP $iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP $iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP $iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP $iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP $iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP # icmp echo " applying icmp rules" echo "" $iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT $iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP # apply icmp type match blocking echo " applying icmp type match blocking" echo "" $iptables -I INPUT -p icmp --icmp-type redirect -j DROP $iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP $iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP $iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP $iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP # open ports to the firewall echo " applying the open port(s) to the firewall rules" echo "" $iptables -A INPUT -p tcp --dport 21 -j ACCEPT $iptables -A INPUT -p tcp --dport 23 -j ACCEPT $iptables -A INPUT -p tcp --dport 80 -j ACCEPT $iptables -A INPUT -p tcp --dport 4242 -j ACCEPT $iptables -A INPUT -p tcp --dport 4662 -j ACCEPT $iptables -A INPUT -p udp --dport 4665 -j ACCEPT $iptables -A INPUT -p udp --dport 4672 -j ACCEPT $iptables -A INPUT -p tcp --dport 5190 -j ACCEPT $iptables -A INPUT -p tcp --dport 1024:5000 -j ACCEPT $iptables -A INPUT -p tcp --dport 27900:27930 -j ACCEPT $iptables -A INPUT -p tcp --dport 5150 -j ACCEPT $iptables -A INPUT -p tcp --dport 5151 -j ACCEPT $iptables -A INPUT -p tcp --dport 65000:65535 -j ACCEPT # enable passive ftp transfers echo " opening passive FTP ports" echo "" $iptables -A INPUT -p tcp --sport 5151 --dport 5151 -m state --state ESTABLISHED -j ACCEPT $iptables -A OUTPUT -p tcp --sport 5151 --dport 5151 -m state --state ESTABLISHED,RELATED -j ACCEPT # enable active ftp transfers echo " opening active FTP ports" echo "" $iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # open and forward ports to the internal machine(s) echo " applying port forwarding rules" echo "" $iptables -A FORWARD -i eth0 -p tcp --dport 65000:65535 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 65000:65535 -j DNAT --to-destination 10.0.0.2:65000:65535 $iptables -A FORWARD -i eth0 -p tcp --dport 1024:4200 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 1024:4200 -j DNAT --to-destination 10.0.0.2:1024:4200 #$iptables -A FORWARD -i eth0 -p tcp --dport 1024 -j ACCEPT #$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 1024 -j DNAT --to-destination 10.0.0.2:1024 $iptables -A FORWARD -i eth0 -p tcp --dport 4662 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4662 -j DNAT --to-destination 10.0.0.2:4662 $iptables -A FORWARD -i eth0 -p udp --dport 4672 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p udp -d 220.57.120.22 --dport 4672 -j DNAT --to-destination 10.0.0.2:4672 $iptables -A FORWARD -i eth0 -p tcp --dport 4661 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4661 -j DNAT --to-destination 10.0.0.2:4661 $iptables -A FORWARD -i eth0 -p udp --dport 4665 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p udp -d 220.57.120.22 --dport 4665 -j DNAT --to-destination 10.0.0.2:4665 $iptables -A FORWARD -i eth0 -p tcp --dport 4711 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4711 -j DNAT --to-destination 10.0.0.2:4711 $iptables -A FORWARD -i eth0 -p tcp --dport 5151 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 5150 -j DNAT --to-destination 10.0.0.2:5150 $iptables -A FORWARD -i eth0 -p tcp --dport 5150 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 5150 -j DNAT --to-destination 10.0.0.2:5150 # logging echo " applying logging rules" echo "" $iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: " $iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: " # drop all other packets echo " applying default drop policies" echo "" $iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP $iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP echo "### quicktables is loaded ###" echo "" any ideas? thanks for your help. |
radix,
AFAIK about passive ftp transactions, the server tells the client what port it has opened for data connections. In your example: PASV 227 Entering Passive Mode (220,57,120,22,19,236) (Note: the comma I've put in between the last part of the server's IP address and the first number of the port designator. This is usually how the response to the PASV command is displayed) This port will be a random port above 1024. The port can be worked out by multiplying the second last number (19) by 256 and adding the last number (236) to that result: 19*256 + 236 = 5100. Your rules are neither allowing this port in or forwarding it to your server. A problem with firewalling an FTP server using passive mode is that the ports chosen are random so you are going to have to do: iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT and iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1024:65535 -j DNAT --to-destination 10.0.0.2:1024:65535 iptables -A FORWARD -i eth0 -p tcp --dport 1024:65535 -j ACCEPT which kind off defeats a few of your INPUT chains. I don't know anything about G6FTPD but maybe ther's a way of limiting the ports it uses for passive mode connections. Then you would not need to accept and forward the entire unprivileged port range. Hope this helps duelly |
nope. still times out on the LIST command. G6FTPD is also known as Bullet Proof FTP Server. Kinda seems pointless to even use iptables if everything will be forwarded anyway. ill post again tomorrow after i get home. maybe i can specify what ports to use for passive. thanks for your help. if you come up with anything new please post it.
|
Actually, I see that your loading the ip_conntrack_ftp module anyway. I think that this is supposed work with your 'state, Related,Established' lines so that my last suggestion may not be needed.
The only other thing that I can think of is that the ip_conntrack_ftp and ip_nat_ftp modules need to be told what port to work with. These modules have a 'ports' option that can be passed to them. For example, in modules.conf add the lines: options ip_conntrack_ftp ports=5150 options ip_nat_ftp ports=5150 then reload the modules. Cheers duelly |
Similar question:
Would it be the same syntax if I put it in /etc/rc.d/rc.local instead? e.g. /sbin/modprobe ip_conntrack_ftp ports=5150? |
I found a temporary fix. While moving parts of the script around, i found out (and i could be wrong on this) that the order that the tables are written is the order of priority. for example opening port 1024:65535 first will allow passive connections but port 5150 wont be available to connect to. I settled with port 21 allowing passive connections. this is why i think this.
I am running eMule on my windows computer that requires certian ports to be open for communication with the servers. when i put $iptables -A FORWARD -i eth0 -p tcp --dport 1024:65535 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 1024:65535 -j DNAT --to-destination 10.0.0.2:1024:65535 i was unable to connect to the server wiht a "High ID". So i put the other tables above it and presto. i could connect with a "High ID" and also use the passive mode. so, as long as single ports are forwarded BEFORE a range, then communications are smooth. is this a bug in iptables 1.2.7a? possibly a bug in Slackware 9? |
| All times are GMT -5. The time now is 04:09 AM. |