Can’t seem to establish an ftp connection while firewall is active. I installed RedHat Enterprise 4 and vsftpd-1.2.1-5.i386.rpm. I’m using RedHat’s /etc/sysconfig/iptables with the following settings:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

I’m able to get the login prompt, but once password is entered the connection isn’t allowed with the following message in the log file:

May 18 21:56:14 mysite vsftpd(pam_unix)[3219]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=24.215.64.197 user=temp

Any ideas??? Anybody???

Well i'm not sure if it is right what i'm saying but with a default INPUT ACCEPT and an another accept on port 21 (??? ... it's already all ACCEPT) where are the routes ???There are no routes!And also ftp needs tcp port 20 ftp-data ... i'm more sure on this !

Thanks gabsik, but this is a standalone system, so no need for routes. I also tried the port 20 accept, but still no dice.

As far as I remember port 20 is used only in active mode in ftp. You are probably using passive mode (all web browsers support only passive mode) in which server opens listening socket and wait for connection from client - to transfer file or directory listing client connects to server. So you have to configure ftp server to use only certain ports in passive mode and allow connections from outside to these ports. Example from proftpd.conf:

PassivePorts 8880 8890

Server will use ports from range 8880-8890 to send files/ directory listings to clients. Then configure iptables accordingly (sorry, no examples since I don't use iptables).

you are using a default policy of ACCEPT for all connections (INPUT,OUTPUT,FORWARD). In my view its bad practice. your default policy should be DROP or DENY for all connections and only allow the ones you actually want through your iptables rules. for eg. the following gives INPUT-OUTPUT access to FTP connections (since yours a single machine you don't need FORWARD).

iptables -A INPUT -p tcp --dport 21 -j ACCEPT

and

modprobe ip_conntrack_ftp

Thanks all for your input. Special thanks to "sin". The ip_conntrack_ftp suggestion did the trick.

Keith

Take a look at the last rule in RH-Firewall-1-INPUT. It does basically the same thing as iptables -P INPUT REJECT.

@keithxl: Iptables occassaionally has problems with complex protocols like FTP, paricularly where it should recognize certain traffic as being of the ESTABLISHED or RELATED states, but fails to do so. It has a tendency to think the passive FTP data channel is a new connection attempt, rather than being related to the control channel. The ip_conntrack_ftp and helper ftp modules will usually fix the problem.

does only securing access to your machine is enough? what about data leaving from your computer? isn't that vital?

Depends on what your definition of vital is. For me, yes. But that wasn't what I was pointing out.

Ofcourse, and I wasn't talking about INPUT's alone. For me OUTGOING connections are as vital as INCOMING Ones. I don't want some rival cracker to silently ship my personal data out under my nose and I don't want some remote zombie silently using my computer resources to launch a DDOS attack attack on YAHOO!

In your case, then egress filtering is a good idea. Many people find it overly restrictive and it ends up causing problems with getting various applications working. That's the reason why Redhat decided to go with a default firewall configured like that (in order to balance security with out-of-the-box usability). If you you think that's bad from a security standpoint, I'm not going to disagree with you.

That being said, I'm not (and never have) disputed your point about engress filtering, but what you were implying about the INPUT chain filtering was incorrect. FWIW, I wasn't trying to take a shot at you just to point out that you were wrong, I just thought you missed it (as many commonly do).

I let it go. I am no security guru, still I like to trust my point and stand by them if neccessary.