LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-27-2006, 12:02 AM   #1
ssenuta
Member
 
Registered: Mar 2006
Location: NYS
Distribution: Mandriva-2006
Posts: 123

Rep: Reputation: 16
Iptables help with ftp entries on standalone dialup machine


I recently tried to update my Mandriva-2006 linux software packages via the Mandrake Control Center but discovered that my firewall setup wouldn't permit this operation. Thanks to you good folkes at LQ organization, I had my iptables setup to log dropped packets & noted that my OUTPUT packets to DST port 21 were being dropped. I was dealing with ftp server & needed to adjust my /etc/sysconfig/iptables file to permit ftp packets.

I did some surfing and after much confusion I came up with a solution but I am unsure of myself & would appreciate any comments someone has to offer.

Here are the new iptable rules I added & short summary of how I think file transfers work:

These "3" rules were added to access files on a ftp server:
-A OUTPUT -o ppp0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT

-A INPUT -i ppp0 -p tcp -m state --state ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 20 -j ACCEPT

Note: Rule# 2 above may not be necessary if your INPUT chain already has a rule like:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

These "3" ports are needed to transfer files from a ftp server:
port 21 ......data requests from ftp server (--dport 21 for 2-way comminication)
port 20 ......data transfers from ftp server (--sport 20 for incoming ftp-data )
port >1023 ......client application's "perferred" destination port (--dport ? for incoming ftp-data )

Note:
"Preferred" DST Ports differs by client but incomming ftp-data will always come from the ftp server's port 20 (--sport 20)

ip_conntrack_ftp.ko must be loaded for file transfers to work. It sees to it that the client's perferred destination port (--dport ?) is open when the ftp-data arrives.

Thank you for reading my post -----stan

Last edited by ssenuta; 12-27-2006 at 12:40 AM.
 
Old 12-27-2006, 04:33 AM   #2
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Are you having trouble with the packets getting dropped? You are sort of on the right track, the rule:

Code:
-A OUTPUT -o ppp0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT
You also need to add the RELATED to the rules as well. The way TCP protocol works is what is called the 3-way hand shake authentication.
The very first packet of data sent by a tcp protocol is a SYN packet, this will be covered by the NEW part of the rule.

When the host receives this packet and replies to it, this is called a SYN-ACK, and when this packet comes back to you, your machine then replies to it with a ACK-ACK packet, these packets are all RELATED, they are not NEW or established packets.

Now once the authentication is complete and everything is ok, data will start to be passed between the hosts, these are now known as ESTABLISHED packets, so your rule should look like this:

Code:
-A OUTPUT -o ppp0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --dport 21 -j ACCEPT
And yes if you already have a rule that lets ESTABLISHED and RELATED packets in, you wont need that 2nd rule.

Last edited by fotoguy; 12-27-2006 at 04:35 AM.
 
Old 12-28-2006, 01:36 AM   #3
ssenuta
Member
 
Registered: Mar 2006
Location: NYS
Distribution: Mandriva-2006
Posts: 123

Original Poster
Rep: Reputation: 16
Iptables help with ftp entries on standalone dialup machine

After reading your explaination of the tcp 3-way Handshake authentication proceedure I changed my rules dealing with ftp servers to look like this:

-A OUTPUT -o ppp0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 20 -j ACCEPT

Here is my understanding of what you said:

Rule# 1 & 2 above deals with the tcp 3-way Handshake proceedure

1.) syn packet --1st packet sent out to ftp server = "NEW" output packet (--dport 21)
2.) syn-ack packet --2nd packet received from ftp server = "RELATED" input packet (--dport 21)
3.) ack-ack packet --3rd packet sent back to ftp server = "RELATED" output packet (--dport 21)

Rule# 3 above deals with the actual ftp-data being sent to my machine from the ftp server (--sport 20)

Thanks for your help --stan

Last edited by ssenuta; 12-28-2006 at 01:39 AM.
 
Old 12-28-2006, 07:28 PM   #4
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Thats pretty well it in a nutshell, although ftp-data port being on port 20 is not the original port 21 that ftp runs on. I think this is were you load the ip_conntrack_ftp modules which takes care of both ports, although this I'm not too sure about since I have not had anything to do with ftp, you may need to do some research on this.

Last edited by fotoguy; 12-28-2006 at 07:52 PM.
 
Old 12-29-2006, 01:10 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
yeah, it would work like this example:
Code:
/sbin/modprobe ip_conntrack_ftp

iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -o ppp0 -p TCP --dport 21 \
-m state --state NEW -j ACCEPT
no need to mess with port 20/tcp...

just my ...
 
Old 12-29-2006, 02:25 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by win32sux
no need to mess with port 20/tcp...
just my ...
Agreed. The conntrack_ftp module allows the ftp data channel to be matched by the ESTABLISHED,RELATED rules, so no need to explicitly define the ports or do something ugly like allow packets with dports >1024 and source port 20.
 
Old 12-29-2006, 10:50 PM   #7
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Thanks for the input win32sux and Capt_Caveman.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables logging on standalone dialup linux box help ssenuta Linux - Security 6 12-23-2006 04:29 AM
How to run TCP/IP programs in linux standalone machine ? m.parthiban Programming 2 10-02-2005 01:03 AM
No entries in iptables? PenguinPwrdBox Linux - Networking 9 02-18-2004 06:58 PM
iptables - loosing entries after reboot mule Linux - Security 7 08-21-2003 12:49 AM
Dialup from RH72 slower than from Win2K on same machine ellisdodge Linux - Networking 4 08-09-2002 11:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration