Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
09-14-2003, 02:45 AM
|
#1
|
Member
Registered: May 2002
Location: Okinawa, Japan
Distribution: Slackware 9, FreeBSD 5.1, Gentoo 1.4
Posts: 38
Rep:
|
iptables and passive FTP behind the nat
after looking for about 3 hours with no solution, i'm asking this question.
I am runnin G6FTPD on port 5150 on WinXP behind Slack 9 and iptables 1.2.7a. Everytime I connect i get this.
Connecting to 220.57.120.55
Connected to 220.57.120.55 -> IP220.57.120.22 PORT=5150
220 32nd Street File Server
USER user
331 Password required for user.
PASS (hidden)
230 User user logged in.
SYST
215 UNIX Type: L8
REST 100
350 REST supported. Ready to resume at byte offset 100.
REST 0
350 REST supported. Ready to resume at byte offset 0.
CWD /
250 CWD command successful. "/" is current directory.
PWD
257 "/" is current directory.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (220,57,120,2219,236).
Data Socket Error: Connection timed out
List Error
QUIT
this is the output of iptables -nvL
Chain INPUT (policy DROP 8 packets, 224 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 18
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 17
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 10
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 9
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 5
0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0
8 934 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
332 14109 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
77 7084 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:4242
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:4662
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:4665
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:5190
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1024:5000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:27900:27930
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:5150
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:5151
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:65000:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:5151 dpt:5151 state ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 state RELATED,ESTABLISHED
0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
limit: avg 1/sec burst 5 tcp LOG flags 0 level 4 prefix `tcp connection:
'
1 576 LOG udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
limit: avg 1/sec burst 5 udp LOG flags 0 level 4 prefix `udp connection:
'
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp
1 576 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
udp
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0
83 4947 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
108 4624 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpts:65000:65535
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1024:4200
8 384 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:4662
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:4672
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:4661
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:4665
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:4711
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:5151
3 132 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:5150
Chain OUTPUT (policy ACCEPT 220 packets, 17758 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:5151 dpt:5151 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 state ESTABLISHED
and this is the acutal script
#!/bin/sh
#
# generated by ./quicktables-2.3 on 2003.09.09.19
#
# set a few variables
echo ""
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/usr/sbin/iptables"
# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
# setup nat
echo " applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 220.57.120.22
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocking reserved private networks incoming from the internet
echo " applying incoming internet blocking of reserved private networks"
echo ""
$iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP
# icmp
echo " applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# open ports to the firewall
echo " applying the open port(s) to the firewall rules"
echo ""
$iptables -A INPUT -p tcp --dport 21 -j ACCEPT
$iptables -A INPUT -p tcp --dport 23 -j ACCEPT
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4242 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
$iptables -A INPUT -p udp --dport 4665 -j ACCEPT
$iptables -A INPUT -p udp --dport 4672 -j ACCEPT
$iptables -A INPUT -p tcp --dport 5190 -j ACCEPT
$iptables -A INPUT -p tcp --dport 1024:5000 -j ACCEPT
$iptables -A INPUT -p tcp --dport 27900:27930 -j ACCEPT
$iptables -A INPUT -p tcp --dport 5150 -j ACCEPT
$iptables -A INPUT -p tcp --dport 5151 -j ACCEPT
$iptables -A INPUT -p tcp --dport 65000:65535 -j ACCEPT
# enable passive ftp transfers
echo " opening passive FTP ports"
echo ""
$iptables -A INPUT -p tcp --sport 5151 --dport 5151 -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 5151 --dport 5151 -m state --state ESTABLISHED,RELATED -j ACCEPT
# enable active ftp transfers
echo " opening active FTP ports"
echo ""
$iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# open and forward ports to the internal machine(s)
echo " applying port forwarding rules"
echo ""
$iptables -A FORWARD -i eth0 -p tcp --dport 65000:65535 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 65000:65535 -j DNAT --to-destination 10.0.0.2:65000:65535
$iptables -A FORWARD -i eth0 -p tcp --dport 1024:4200 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 1024:4200 -j DNAT --to-destination 10.0.0.2:1024:4200
#$iptables -A FORWARD -i eth0 -p tcp --dport 1024 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 1024 -j DNAT --to-destination 10.0.0.2:1024
$iptables -A FORWARD -i eth0 -p tcp --dport 4662 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4662 -j DNAT --to-destination 10.0.0.2:4662
$iptables -A FORWARD -i eth0 -p udp --dport 4672 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p udp -d 220.57.120.22 --dport 4672 -j DNAT --to-destination 10.0.0.2:4672
$iptables -A FORWARD -i eth0 -p tcp --dport 4661 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4661 -j DNAT --to-destination 10.0.0.2:4661
$iptables -A FORWARD -i eth0 -p udp --dport 4665 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p udp -d 220.57.120.22 --dport 4665 -j DNAT --to-destination 10.0.0.2:4665
$iptables -A FORWARD -i eth0 -p tcp --dport 4711 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4711 -j DNAT --to-destination 10.0.0.2:4711
$iptables -A FORWARD -i eth0 -p tcp --dport 5151 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 5150 -j DNAT --to-destination 10.0.0.2:5150
$iptables -A FORWARD -i eth0 -p tcp --dport 5150 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 5150 -j DNAT --to-destination 10.0.0.2:5150
# logging
echo " applying logging rules"
echo ""
$iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
echo "### quicktables is loaded ###"
echo ""
any ideas? thanks for your help.
Last edited by radix; 09-14-2003 at 02:47 AM.
|
|
|
09-14-2003, 04:51 AM
|
#2
|
LQ Newbie
Registered: Sep 2003
Distribution: ArchLinux
Posts: 10
Rep:
|
radix,
AFAIK about passive ftp transactions, the server tells the client what port it has opened for data connections. In your example:
PASV
227 Entering Passive Mode (220,57,120,22,19,236)
(Note: the comma I've put in between the last part of the server's IP address and the first number of the port designator. This is usually how the response to the PASV command is displayed)
This port will be a random port above 1024. The port can be worked out by multiplying the second last number (19) by 256 and adding the last number (236) to that result: 19*256 + 236 = 5100.
Your rules are neither allowing this port in or forwarding it to your server. A problem with firewalling an FTP server using passive mode is that the ports chosen are random so you are going to have to do:
iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT and
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1024:65535 -j DNAT --to-destination 10.0.0.2:1024:65535
iptables -A FORWARD -i eth0 -p tcp --dport 1024:65535 -j ACCEPT
which kind off defeats a few of your INPUT chains. I don't know anything about G6FTPD but maybe ther's a way of limiting the ports it uses for passive mode connections. Then you would not need to accept and forward the entire unprivileged port range.
Hope this helps
duelly
Last edited by duelly; 09-14-2003 at 05:29 AM.
|
|
|
09-14-2003, 06:59 AM
|
#3
|
Member
Registered: May 2002
Location: Okinawa, Japan
Distribution: Slackware 9, FreeBSD 5.1, Gentoo 1.4
Posts: 38
Original Poster
Rep:
|
nope. still times out on the LIST command. G6FTPD is also known as Bullet Proof FTP Server. Kinda seems pointless to even use iptables if everything will be forwarded anyway. ill post again tomorrow after i get home. maybe i can specify what ports to use for passive. thanks for your help. if you come up with anything new please post it.
|
|
|
09-14-2003, 10:02 AM
|
#4
|
LQ Newbie
Registered: Sep 2003
Distribution: ArchLinux
Posts: 10
Rep:
|
Actually, I see that your loading the ip_conntrack_ftp module anyway. I think that this is supposed work with your 'state, Related,Established' lines so that my last suggestion may not be needed.
The only other thing that I can think of is that the ip_conntrack_ftp and ip_nat_ftp modules need to be told what port to work with. These modules have a 'ports' option that can be passed to them. For example, in modules.conf add the lines:
options ip_conntrack_ftp ports=5150
options ip_nat_ftp ports=5150
then reload the modules.
Cheers
duelly
|
|
|
09-14-2003, 12:20 PM
|
#5
|
Member
Registered: Sep 2003
Location: Tokyo
Distribution: Red Hat
Posts: 41
Rep:
|
Similar question:
Would it be the same syntax if I put it in /etc/rc.d/rc.local instead?
e.g.
/sbin/modprobe ip_conntrack_ftp ports=5150?
|
|
|
09-16-2003, 08:14 PM
|
#6
|
Member
Registered: May 2002
Location: Okinawa, Japan
Distribution: Slackware 9, FreeBSD 5.1, Gentoo 1.4
Posts: 38
Original Poster
Rep:
|
I found a temporary fix. While moving parts of the script around, i found out (and i could be wrong on this) that the order that the tables are written is the order of priority. for example opening port 1024:65535 first will allow passive connections but port 5150 wont be available to connect to. I settled with port 21 allowing passive connections. this is why i think this.
I am running eMule on my windows computer that requires certian ports to be open for communication with the servers. when i put
$iptables -A FORWARD -i eth0 -p tcp --dport 1024:65535 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 1024:65535 -j DNAT --to-destination 10.0.0.2:1024:65535
i was unable to connect to the server wiht a "High ID". So i put the other tables above it and presto. i could connect with a "High ID" and also use the passive mode. so, as long as single ports are forwarded BEFORE a range, then communications are smooth. is this a bug in iptables 1.2.7a? possibly a bug in Slackware 9?
|
|
|
All times are GMT -5. The time now is 08:15 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|