[TriLUG] FTP can't get through iptables

Jeff Groves jgroves at krenim.org
Mon Jun 13 21:14:41 EDT 2005


The two connections are often over two different ports -- not only TCP 
21, but TCP 20 as well.

Jeff G.

skippy1 at hickorytech.net wrote:

>FTP is a horrible protocol when it comes to firewalls.  What you are
>seeing is the classic ftp/firewall problem.
>
>(If I'm over explaining here, forgive me.  Maybe it'll do someone else good.)
>
>FTP uses 2 connections to do stuff.  The first one is the control
>connection an this always goes from a high numbered port on the client to
>port 21 on the server.  It is the one that handles authentication and
>since you are getting authenticated, this one is getting through just
>fine.
>
>The second connection is the data connection.  Every time that any data is
>passed, even if it is a directory listing, the data connection is used (or
>a new data connection is opened if needed).  In active mode, the data
>connection is started by the server machine and goes from a high number
>port on the server to a high number port on the client machine chosen by
>the client machine.  In passive mode, the connection goes from a high
>number port on the client to a high number port on the server.  This data
>connection is not getting through the firewall.
>
>As for why it works from the command line but not the GUIs...no idea. 
>Most command line clients seem to be more robust, but that shouldn't make
>a difference.
>
>Possible fixes:
>
>1) If you know the client machines will not have firewalls, you can try
>forcing active mode and allowing connections between high number ports as
>long as they are initiated by the ftp server.  This often fails if the
>client machines are behind a firewall.
>
>2) If you ftp server software can do it (and I thing ProFTP can) you can
>force it to passive mode and open a limited range of high number ports on
>the firewall for the FTP server.  In passive mode the server chooses what
>port the new data connection should be on and many ftp server progs let
>you restrict the range that it chooses from.  Make the open ports on the
>firewall match the range of ports that the ftp server chooses and you have
>a functional setup without reducing security too far.  (You'll also want
>to make sure that nothing else on the ftp server uses any ports in that
>range.)
>
>3) iptables has the ip_conntrack (sp?) module for dealing with exactly
>this.  It is supposed to manage the data connections by associating them
>with the control connection.  I've had some problems with it in the past,
>but its been quite a while so my guess is that they are probably fixed by
>now.
>
>
>  
>
>>Thanks for the suggestions on IPtables script. I ended up using one
>>written  by Alan Porter. It's a great script, but I'm having this funny
>>problem with  FTP. I'm posting this to the whole group instead of just
>>Alan because I've  had this problem with other IPtables configs also.
>>Here is what happens
>>
>>Using a GUI FTP client, either on Windows or Linux, either in Passive
>>mode  or not, the client successfully makes a connection and
>>authenticates against  the server. After that initial connection, it
>>hangs and times out. In the  logs you can see that the FTP user
>>authenticated, but that's all. I know  this is related to IPtables
>>becuase if I totally stop iptables it works  fine.
>>
>>The weird thing is that if you log in via FTP on the command line from
>>any  client it works totally fine.
>>
>>Personally, I'd be happy scrapping FTP all together and just using SSH
>>tools, but there are some end users who use Windows Explorer to connect
>>to  shared documents on an FTP server.
>>
>>This is an RHEL 3 machine running proFTP and the 2.4 kernel.
>>
>>Any ideas??
>>
>>Thanks,
>>
>>Sam
>>
>>On 6/13/05, Tanner Lovelace < clubjuggler at gmail.com> wrote:
>>    
>>
>>>You could always use shorewall ( http://shorewall.net/). It's the
>>>default firewall on Mandrake Linux.
>>>
>>>Cheers,
>>>Tanner
>>>
>>>On 6/13/05, Sam Folk-Williams <sam.folkwilliams at gmail.com> wrote:
>>>      
>>>
>>>>Hi,
>>>>
>>>>I was wondering if someone could post an iptables script for a web
>>>>        
>>>>
>>>server?
>>>      
>>>
>>>>IPtables is something that always gives me trouble. The services I
>>>>        
>>>>
>>>need
>>>to
>>>      
>>>
>>>>allow are httpd, fpt, ssh - more or less the standard web/admin
>>>>        
>>>>
>>>services. I
>>>      
>>>
>>>>would like to drop other traffic and allow mysql access only from
>>>>        
>>>>
>>>localhost.
>>>      
>>>
>>>>Anyone have a script they use?
>>>>
>>>>Thanks,
>>>>
>>>>Sam
>>>>--
>>>>TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>>        
>>>>
>>>TriLUG Organizational FAQ : http://trilug.org/faq/
>>>      
>>>
>>>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>>        
>>>>
>>>TriLUG PGP Keyring :
>>>http://trilug.org/~chrish/trilug.asc<http://trilug.org/%7Echrish/trilug.asc>
>>>      
>>>
>>>--
>>>Tanner Lovelace
>>>clubjuggler at gmail dot com
>>>http://wtl.wayfarer.org/
>>>http://www.freeiPods.com/?r=8127171
>>>(fieldless) In fess two roundels in pale, a billet fesswise and an
>>>increscent, all sable.
>>>--
>>>TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>TriLUG Organizational FAQ : http://trilug.org/faq/
>>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>TriLUG PGP Keyring :
>>>http://trilug.org/~chrish/trilug.asc<http://trilug.org/%7Echrish/trilug.asc>
>>>
>>>      
>>>
>>--
>>TriLUG mailing list        :
>>http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ
>>: http://trilug.org/faq/
>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>>    
>>
>
>
>
>  
>

-- 
Jeff Groves
email: jgroves at krenim.org             Web Site: http://www.krenim.org/





More information about the TriLUG mailing list