[TriLUG] FTP can't get through iptables (was: iptables for webserver)

skippy1 at hickorytech.net skippy1 at hickorytech.net
Mon Jun 13 21:00:20 EDT 2005 

FTP is a horrible protocol when it comes to firewalls.  What you are
seeing is the classic ftp/firewall problem.

(If I'm over explaining here, forgive me.  Maybe it'll do someone else good.)

FTP uses 2 connections to do stuff.  The first one is the control
connection an this always goes from a high numbered port on the client to
port 21 on the server.  It is the one that handles authentication and
since you are getting authenticated, this one is getting through just
fine.

The second connection is the data connection.  Every time that any data is
passed, even if it is a directory listing, the data connection is used (or
a new data connection is opened if needed).  In active mode, the data
connection is started by the server machine and goes from a high number
port on the server to a high number port on the client machine chosen by
the client machine.  In passive mode, the connection goes from a high
number port on the client to a high number port on the server.  This data
connection is not getting through the firewall.

As for why it works from the command line but not the GUIs...no idea. 
Most command line clients seem to be more robust, but that shouldn't make
a difference.

Possible fixes:

1) If you know the client machines will not have firewalls, you can try
forcing active mode and allowing connections between high number ports as
long as they are initiated by the ftp server.  This often fails if the
client machines are behind a firewall.

2) If you ftp server software can do it (and I thing ProFTP can) you can
force it to passive mode and open a limited range of high number ports on
the firewall for the FTP server.  In passive mode the server chooses what
port the new data connection should be on and many ftp server progs let
you restrict the range that it chooses from.  Make the open ports on the
firewall match the range of ports that the ftp server chooses and you have
a functional setup without reducing security too far.  (You'll also want
to make sure that nothing else on the ftp server uses any ports in that
range.)

3) iptables has the ip_conntrack (sp?) module for dealing with exactly
this.  It is supposed to manage the data connections by associating them
with the control connection.  I've had some problems with it in the past,
but its been quite a while so my guess is that they are probably fixed by
now.


> Thanks for the suggestions on IPtables script. I ended up using one
> written  by Alan Porter. It's a great script, but I'm having this funny
> problem with  FTP. I'm posting this to the whole group instead of just
> Alan because I've  had this problem with other IPtables configs also.
> Here is what happens
>
> Using a GUI FTP client, either on Windows or Linux, either in Passive
> mode  or not, the client successfully makes a connection and
> authenticates against  the server. After that initial connection, it
> hangs and times out. In the  logs you can see that the FTP user
> authenticated, but that's all. I know  this is related to IPtables
> becuase if I totally stop iptables it works  fine.
>
> The weird thing is that if you log in via FTP on the command line from
> any  client it works totally fine.
>
> Personally, I'd be happy scrapping FTP all together and just using SSH
> tools, but there are some end users who use Windows Explorer to connect
> to  shared documents on an FTP server.
>
> This is an RHEL 3 machine running proFTP and the 2.4 kernel.
>
> Any ideas??
>
> Thanks,
>
> Sam
>
> On 6/13/05, Tanner Lovelace < clubjuggler at gmail.com> wrote:
>>
>> You could always use shorewall ( http://shorewall.net/). It's the
>> default firewall on Mandrake Linux.
>>
>> Cheers,
>> Tanner
>>
>> On 6/13/05, Sam Folk-Williams <sam.folkwilliams at gmail.com> wrote:
>> > Hi,
>> >
>> > I was wondering if someone could post an iptables script for a web
>> server?
>> > IPtables is something that always gives me trouble. The services I
>> need
>> to
>> > allow are httpd, fpt, ssh - more or less the standard web/admin
>> services. I
>> > would like to drop other traffic and allow mysql access only from
>> localhost.
>> > Anyone have a script they use?
>> >
>> > Thanks,
>> >
>> > Sam
>> > --
>> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ : http://trilug.org/faq/
>> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> TriLUG PGP Keyring :
>> http://trilug.org/~chrish/trilug.asc<http://trilug.org/%7Echrish/trilug.asc>
>> >
>>
>>
>> --
>> Tanner Lovelace
>> clubjuggler at gmail dot com
>> http://wtl.wayfarer.org/
>> http://www.freeiPods.com/?r=8127171
>> (fieldless) In fess two roundels in pale, a billet fesswise and an
>> increscent, all sable.
>> --
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> TriLUG PGP Keyring :
>> http://trilug.org/~chrish/trilug.asc<http://trilug.org/%7Echrish/trilug.asc>
>>
> --
> TriLUG mailing list        :
> http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ
> : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc

More information about the TriLUG mailing list