LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-19-2006, 12:25 AM   #1
keithxl
LQ Newbie
 
Registered: Feb 2006
Posts: 3

Rep: Reputation: 0
Talking iptables won't allow ftp even with port 21 open.


Can’t seem to establish an ftp connection while firewall is active. I installed RedHat Enterprise 4 and vsftpd-1.2.1-5.i386.rpm. I’m using RedHat’s /etc/sysconfig/iptables with the following settings:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

I’m able to get the login prompt, but once password is entered the connection isn’t allowed with the following message in the log file:

May 18 21:56:14 mysite vsftpd(pam_unix)[3219]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=24.215.64.197 user=temp

Any ideas??? Anybody???

Last edited by keithxl; 05-19-2006 at 12:26 AM.
 
Old 05-19-2006, 02:28 AM   #2
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Rep: Reputation: 30
Well i'm not sure if it is right what i'm saying but with a default INPUT ACCEPT and an another accept on port 21 (??? ... it's already all ACCEPT) where are the routes ???There are no routes!And also ftp needs tcp port 20 ftp-data ... i'm more sure on this !

Last edited by gabsik; 05-19-2006 at 02:29 AM.
 
Old 05-19-2006, 02:51 AM   #3
keithxl
LQ Newbie
 
Registered: Feb 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Unhappy

Thanks gabsik, but this is a standalone system, so no need for routes. I also tried the port 20 accept, but still no dice.
 
Old 05-19-2006, 04:46 AM   #4
networkdemon
LQ Newbie
 
Registered: May 2006
Posts: 1

Rep: Reputation: 0
As far as I remember port 20 is used only in active mode in ftp. You are probably using passive mode (all web browsers support only passive mode) in which server opens listening socket and wait for connection from client - to transfer file or directory listing client connects to server. So you have to configure ftp server to use only certain ports in passive mode and allow connections from outside to these ports. Example from proftpd.conf:

PassivePorts 8880 8890

Server will use ports from range 8880-8890 to send files/ directory listings to clients. Then configure iptables accordingly (sorry, no examples since I don't use iptables).
 
Old 05-19-2006, 05:52 AM   #5
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
you are using a default policy of ACCEPT for all connections (INPUT,OUTPUT,FORWARD). In my view its bad practice. your default policy should be DROP or DENY for all connections and only allow the ones you actually want through your iptables rules. for eg. the following gives INPUT-OUTPUT access to FTP connections (since yours a single machine you don't need FORWARD).

Code:
iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 20:21 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 -s $YOUR_IP --dport 20:21 -j ACCEPT
 
Old 05-19-2006, 05:54 AM   #6
sin
LQ Newbie
 
Registered: Jun 2005
Location: UK
Distribution: Slackware
Posts: 28

Rep: Reputation: 15
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

and

modprobe ip_conntrack_ftp

Last edited by sin; 05-19-2006 at 05:58 AM.
 
Old 05-19-2006, 06:46 PM   #7
keithxl
LQ Newbie
 
Registered: Feb 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks all for your input. Special thanks to "sin". The ip_conntrack_ftp suggestion did the trick.

Keith
 
Old 05-19-2006, 07:34 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by prozac
you are using a default policy of ACCEPT for all connections (INPUT,OUTPUT,FORWARD). In my view its bad practice.
Take a look at the last rule in RH-Firewall-1-INPUT. It does basically the same thing as iptables -P INPUT REJECT.

@keithxl: Iptables occassaionally has problems with complex protocols like FTP, paricularly where it should recognize certain traffic as being of the ESTABLISHED or RELATED states, but fails to do so. It has a tendency to think the passive FTP data channel is a new connection attempt, rather than being related to the control channel. The ip_conntrack_ftp and helper ftp modules will usually fix the problem.
 
Old 05-20-2006, 11:32 PM   #9
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
Quote:
Take a look at the last rule in RH-Firewall-1-INPUT. It does basically the same thing as iptables -P INPUT REJECT.
does only securing access to your machine is enough? what about data leaving from your computer? isn't that vital?
 
Old 05-21-2006, 12:08 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by prozac
does only securing access to your machine is enough? what about data leaving from your computer? isn't that vital?
Depends on what your definition of vital is. For me, yes. But that wasn't what I was pointing out.
 
Old 05-22-2006, 05:40 AM   #11
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
Quote:
Originally Posted by prozac
you are using a default policy of ACCEPT for all connections (INPUT,OUTPUT,FORWARD). In my view its bad practice.
Originally Posted by Capt_Caveman
Take a look at the last rule in RH-Firewall-1-INPUT. It does basically the same thing as iptables -P INPUT REJECT.
Quote:
Quote:
Originally Posted by prozac
does only securing access to your machine is enough? what about data leaving from your computer? isn't that vital?
Depends on what your definition of vital is. For me, yes. But that wasn't what I was pointing out.
Ofcourse, and I wasn't talking about INPUT's alone. For me OUTGOING connections are as vital as INCOMING Ones. I don't want some rival cracker to silently ship my personal data out under my nose and I don't want some remote zombie silently using my computer resources to launch a DDOS attack attack on YAHOO!
 
Old 05-22-2006, 08:12 PM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
In your case, then egress filtering is a good idea. Many people find it overly restrictive and it ends up causing problems with getting various applications working. That's the reason why Redhat decided to go with a default firewall configured like that (in order to balance security with out-of-the-box usability). If you you think that's bad from a security standpoint, I'm not going to disagree with you.

That being said, I'm not (and never have) disputed your point about engress filtering, but what you were implying about the INPUT chain filtering was incorrect. FWIW, I wasn't trying to take a shot at you just to point out that you were wrong, I just thought you missed it (as many commonly do).
 
Old 05-22-2006, 11:36 PM   #13
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
I let it go. I am no security guru, still I like to trust my point and stand by them if neccessary.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables open port for Azureus Berticus Linux - Security 2 02-21-2006 03:32 PM
Open/Closing port without iptables? hottdogg Slackware 8 12-27-2005 03:55 PM
SuSE 9.2 - FTP Port open with no FTP service?!?! don_wombat Linux - Security 12 12-01-2004 03:14 PM
port forwarding using iptables (ftp) spank Linux - Newbie 3 01-20-2004 06:14 AM
ftp and ftp port forwarding with IPtables?? FunkFlex Linux - Security 3 04-24-2002 03:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration