LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPTABLES rules for active FTP (https://www.linuxquestions.org/questions/linux-security-4/iptables-rules-for-active-ftp-22127/)

TruckStuff 05-29-2002 09:40 PM

IPTABLES rules for active FTP
 
After much research and debugging, I finally have my firewall almost up and running. The one thing I am lacking at this point is proper functionality of the FTP service. When I ftp to the server, the connection (eventually) logs in, but it never recieves a proper file list from the server. I am using active FTP because that is what I need to get "around" my router-in-a-box. I have found the following rules from LinuxGuruz that are supposed to allow active ftp:

iptables -A INPUT -i eth0 -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --dport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT

From what I have read, the first rule allows for new connection and data traffic on port 21. The second allows for traffic outbound from port 21. The third and fourth allow for connection related traffic on port 20. Policies for INPUt and OUTPUT chains are DROP. When the policy is changed to ACCEPT, the connections work fine but obviously, that does me little good. :) Tips/Thoughts are appreciated.

Noerr 05-30-2002 12:34 AM

you have to do
iptables -A INPUT -p tcp --dport ftp -j ACCEPT
iptables -A INPUT -p tcp --dport ftp-data -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

i think :)

heby 09-10-2004 02:35 AM

NEVER use these rules
 
just look at them:

iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

all connections from source port 20 or 21 are accepted, no matter where they go. obviously, an attacker that has full control over the computer which he uses to attack you could choose to start his attack from one of these ports - your system is totally open to these attacks.

modprobe ip_conntrack_ftp
iptables -A INPUT -m helper --helper ftp -j ACCEPT

is the correct way to deal with active ftp.

heby

win32sux 09-28-2004 07:31 PM

Code:

/sbin/modprobe ip_conntrack_ftp

iptables -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT

iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p ALL -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


TruckStuff 09-29-2004 09:06 PM

Re: NEVER use these rules
 
Quote:

Originally posted by heby
just look at them:

iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

all connections from source port 20 or 21 are accepted, no matter where they go. obviously, an attacker that has full control over the computer which he uses to attack you could choose to start his attack from one of these ports - your system is totally open to these attacks.

modprobe ip_conntrack_ftp
iptables -A INPUT -m helper --helper ftp -j ACCEPT

is the correct way to deal with active ftp.

heby

Sheesh... he registers to respond to a post that is over two years old??? :rolleyes:

jlinkels 01-25-2006 10:08 AM

That's the real Linux spirit!

jlinkels

mbshafer 04-22-2009 01:34 PM

[QUOTE=TruckStuff;1205747]Sheesh... he registers to respond to a post that is over two years old???

Why not!

And somebody five years later finds an answer they're searching for! :)

Cheers!

win32sux 04-22-2009 06:21 PM

mbshafer, thread resurrection isn't something we like to see happen here at LQ.

Please don't make a habit out of it. Closed.


All times are GMT -5. The time now is 04:34 PM.