Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-19-2006, 12:25 AM
|
#1
|
LQ Newbie
Registered: Feb 2006
Posts: 3
Rep:
|
iptables won't allow ftp even with port 21 open.
Can’t seem to establish an ftp connection while firewall is active. I installed RedHat Enterprise 4 and vsftpd-1.2.1-5.i386.rpm. I’m using RedHat’s /etc/sysconfig/iptables with the following settings:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
I’m able to get the login prompt, but once password is entered the connection isn’t allowed with the following message in the log file:
May 18 21:56:14 mysite vsftpd(pam_unix)[3219]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=24.215.64.197 user=temp
Any ideas??? Anybody???
Last edited by keithxl; 05-19-2006 at 12:26 AM.
|
|
|
05-19-2006, 02:28 AM
|
#2
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Rep:
|
Well i'm not sure if it is right what i'm saying but with a default INPUT ACCEPT and an another accept on port 21 (??? ... it's already all ACCEPT) where are the routes ???There are no routes!And also ftp needs tcp port 20 ftp-data ... i'm more sure on this !
Last edited by gabsik; 05-19-2006 at 02:29 AM.
|
|
|
05-19-2006, 02:51 AM
|
#3
|
LQ Newbie
Registered: Feb 2006
Posts: 3
Original Poster
Rep:
|
Thanks gabsik, but this is a standalone system, so no need for routes. I also tried the port 20 accept, but still no dice.
|
|
|
05-19-2006, 04:46 AM
|
#4
|
LQ Newbie
Registered: May 2006
Posts: 1
Rep:
|
As far as I remember port 20 is used only in active mode in ftp. You are probably using passive mode (all web browsers support only passive mode) in which server opens listening socket and wait for connection from client - to transfer file or directory listing client connects to server. So you have to configure ftp server to use only certain ports in passive mode and allow connections from outside to these ports. Example from proftpd.conf:
PassivePorts 8880 8890
Server will use ports from range 8880-8890 to send files/ directory listings to clients. Then configure iptables accordingly (sorry, no examples since I don't use iptables).
|
|
|
05-19-2006, 05:52 AM
|
#5
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
you are using a default policy of ACCEPT for all connections (INPUT,OUTPUT,FORWARD). In my view its bad practice. your default policy should be DROP or DENY for all connections and only allow the ones you actually want through your iptables rules. for eg. the following gives INPUT-OUTPUT access to FTP connections (since yours a single machine you don't need FORWARD).
Code:
iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 20:21 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 -s $YOUR_IP --dport 20:21 -j ACCEPT
|
|
|
05-19-2006, 05:54 AM
|
#6
|
LQ Newbie
Registered: Jun 2005
Location: UK
Distribution: Slackware
Posts: 28
Rep:
|
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
and
modprobe ip_conntrack_ftp
Last edited by sin; 05-19-2006 at 05:58 AM.
|
|
|
05-19-2006, 06:46 PM
|
#7
|
LQ Newbie
Registered: Feb 2006
Posts: 3
Original Poster
Rep:
|
Thanks all for your input. Special thanks to "sin". The ip_conntrack_ftp suggestion did the trick.
Keith
|
|
|
05-19-2006, 07:34 PM
|
#8
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by prozac
you are using a default policy of ACCEPT for all connections (INPUT,OUTPUT,FORWARD). In my view its bad practice.
|
Take a look at the last rule in RH-Firewall-1-INPUT. It does basically the same thing as iptables -P INPUT REJECT.
@keithxl: Iptables occassaionally has problems with complex protocols like FTP, paricularly where it should recognize certain traffic as being of the ESTABLISHED or RELATED states, but fails to do so. It has a tendency to think the passive FTP data channel is a new connection attempt, rather than being related to the control channel. The ip_conntrack_ftp and helper ftp modules will usually fix the problem.
|
|
|
05-20-2006, 11:32 PM
|
#9
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
Quote:
Take a look at the last rule in RH-Firewall-1-INPUT. It does basically the same thing as iptables -P INPUT REJECT.
|
does only securing access to your machine is enough? what about data leaving from your computer? isn't that vital?
|
|
|
05-21-2006, 12:08 AM
|
#10
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by prozac
does only securing access to your machine is enough? what about data leaving from your computer? isn't that vital?
|
Depends on what your definition of vital is. For me, yes. But that wasn't what I was pointing out.
|
|
|
05-22-2006, 05:40 AM
|
#11
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
Quote:
Originally Posted by prozac
you are using a default policy of ACCEPT for all connections (INPUT,OUTPUT,FORWARD). In my view its bad practice.
Originally Posted by Capt_Caveman
Take a look at the last rule in RH-Firewall-1-INPUT. It does basically the same thing as iptables -P INPUT REJECT.
|
Quote:
Quote:
Originally Posted by prozac
does only securing access to your machine is enough? what about data leaving from your computer? isn't that vital?
Depends on what your definition of vital is. For me, yes. But that wasn't what I was pointing out.
|
Ofcourse, and I wasn't talking about INPUT's alone. For me OUTGOING connections are as vital as INCOMING Ones. I don't want some rival cracker to silently ship my personal data out under my nose and I don't want some remote zombie silently using my computer resources to launch a DDOS attack attack on YAHOO!
|
|
|
05-22-2006, 08:12 PM
|
#12
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
In your case, then egress filtering is a good idea. Many people find it overly restrictive and it ends up causing problems with getting various applications working. That's the reason why Redhat decided to go with a default firewall configured like that (in order to balance security with out-of-the-box usability). If you you think that's bad from a security standpoint, I'm not going to disagree with you.
That being said, I'm not (and never have) disputed your point about engress filtering, but what you were implying about the INPUT chain filtering was incorrect. FWIW, I wasn't trying to take a shot at you just to point out that you were wrong, I just thought you missed it (as many commonly do).
|
|
|
05-22-2006, 11:36 PM
|
#13
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
I let it go. I am no security guru, still I like to trust my point and stand by them if neccessary.
|
|
|
All times are GMT -5. The time now is 04:46 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|