Iptables help with ftp entries on standalone dialup machine
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iptables help with ftp entries on standalone dialup machine
I recently tried to update my Mandriva-2006 linux software packages via the Mandrake Control Center but discovered that my firewall setup wouldn't permit this operation. Thanks to you good folkes at LQ organization, I had my iptables setup to log dropped packets & noted that my OUTPUT packets to DST port 21 were being dropped. I was dealing with ftp server & needed to adjust my /etc/sysconfig/iptables file to permit ftp packets.
I did some surfing and after much confusion I came up with a solution but I am unsure of myself & would appreciate any comments someone has to offer.
Here are the new iptable rules I added & short summary of how I think file transfers work:
These "3" rules were added to access files on a ftp server:
-A OUTPUT -o ppp0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 20 -j ACCEPT
Note: Rule# 2 above may not be necessary if your INPUT chain already has a rule like:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
These "3" ports are needed to transfer files from a ftp server:
port 21 ......data requests from ftp server (--dport 21 for 2-way comminication)
port 20 ......data transfers from ftp server (--sport 20 for incoming ftp-data )
port >1023 ......client application's "perferred" destination port (--dport ? for incoming ftp-data )
Note: "Preferred" DST Ports differs by client but incomming ftp-data will always come from the ftp server's port 20 (--sport 20)
ip_conntrack_ftp.ko must be loaded for file transfers to work. It sees to it that the client's perferred destination port (--dport ?) is open when the ftp-data arrives.
Are you having trouble with the packets getting dropped? You are sort of on the right track, the rule:
Code:
-A OUTPUT -o ppp0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT
You also need to add the RELATED to the rules as well. The way TCP protocol works is what is called the 3-way hand shake authentication.
The very first packet of data sent by a tcp protocol is a SYN packet, this will be covered by the NEW part of the rule.
When the host receives this packet and replies to it, this is called a SYN-ACK, and when this packet comes back to you, your machine then replies to it with a ACK-ACK packet, these packets are all RELATED, they are not NEW or established packets.
Now once the authentication is complete and everything is ok, data will start to be passed between the hosts, these are now known as ESTABLISHED packets, so your rule should look like this:
Code:
-A OUTPUT -o ppp0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --dport 21 -j ACCEPT
And yes if you already have a rule that lets ESTABLISHED and RELATED packets in, you wont need that 2nd rule.
Iptables help with ftp entries on standalone dialup machine
After reading your explaination of the tcp 3-way Handshake authentication proceedure I changed my rules dealing with ftp servers to look like this:
-A OUTPUT -o ppp0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 20 -j ACCEPT
Here is my understanding of what you said:
Rule# 1 & 2 above deals with the tcp 3-way Handshake proceedure
1.) syn packet --1st packet sent out to ftp server = "NEW" output packet (--dport 21)
2.) syn-ack packet --2nd packet received from ftp server = "RELATED" input packet (--dport 21)
3.) ack-ack packet --3rd packet sent back to ftp server = "RELATED" output packet (--dport 21)
Rule# 3 above deals with the actual ftp-data being sent to my machine from the ftp server (--sport 20)
Thats pretty well it in a nutshell, although ftp-data port being on port 20 is not the original port 21 that ftp runs on. I think this is were you load the ip_conntrack_ftp modules which takes care of both ports, although this I'm not too sure about since I have not had anything to do with ftp, you may need to do some research on this.
/sbin/modprobe ip_conntrack_ftp
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o ppp0 -p TCP --dport 21 \
-m state --state NEW -j ACCEPT
Agreed. The conntrack_ftp module allows the ftp data channel to be matched by the ESTABLISHED,RELATED rules, so no need to explicitly define the ports or do something ugly like allow packets with dports >1024 and source port 20.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.