[TriLUG] FTP can't get through iptables (was: iptables for webserver)

Sam Folk-Williams sam.folkwilliams at gmail.com
Tue Jun 14 07:21:55 EDT 2005


Thank you -- this explanation is a huge help. This makes perfect sense. 
After I sent the email last night I started reading "Linux Server Security" 
and just got to a part where it mentioned the thing with FTP using multiple 
ports. I will do some searching on how to configure proFTP to use a specific 
range.

Thanks a lot,

Sam

On 6/13/05, skippy1 at hickorytech.net <skippy1 at hickorytech.net> wrote:
> 
> FTP is a horrible protocol when it comes to firewalls. What you are
> seeing is the classic ftp/firewall problem.
> 
> (If I'm over explaining here, forgive me. Maybe it'll do someone else 
> good.)
> 
> FTP uses 2 connections to do stuff. The first one is the control
> connection an this always goes from a high numbered port on the client to
> port 21 on the server. It is the one that handles authentication and
> since you are getting authenticated, this one is getting through just
> fine.
> 
> The second connection is the data connection. Every time that any data is
> passed, even if it is a directory listing, the data connection is used (or
> a new data connection is opened if needed). In active mode, the data
> connection is started by the server machine and goes from a high number
> port on the server to a high number port on the client machine chosen by
> the client machine. In passive mode, the connection goes from a high
> number port on the client to a high number port on the server. This data
> connection is not getting through the firewall.
> 
> As for why it works from the command line but not the GUIs...no idea.
> Most command line clients seem to be more robust, but that shouldn't make
> a difference.
> 
> Possible fixes:
> 
> 1) If you know the client machines will not have firewalls, you can try
> forcing active mode and allowing connections between high number ports as
> long as they are initiated by the ftp server. This often fails if the
> client machines are behind a firewall.
> 
> 2) If you ftp server software can do it (and I thing ProFTP can) you can
> force it to passive mode and open a limited range of high number ports on
> the firewall for the FTP server. In passive mode the server chooses what
> port the new data connection should be on and many ftp server progs let
> you restrict the range that it chooses from. Make the open ports on the
> firewall match the range of ports that the ftp server chooses and you have
> a functional setup without reducing security too far. (You'll also want
> to make sure that nothing else on the ftp server uses any ports in that
> range.)
> 
> 3) iptables has the ip_conntrack (sp?) module for dealing with exactly
> this. It is supposed to manage the data connections by associating them
> with the control connection. I've had some problems with it in the past,
> but its been quite a while so my guess is that they are probably fixed by
> now.
> 
> 
> > Thanks for the suggestions on IPtables script. I ended up using one
> > written by Alan Porter. It's a great script, but I'm having this funny
> > problem with FTP. I'm posting this to the whole group instead of just
> > Alan because I've had this problem with other IPtables configs also.
> > Here is what happens
> >
> > Using a GUI FTP client, either on Windows or Linux, either in Passive
> > mode or not, the client successfully makes a connection and
> > authenticates against the server. After that initial connection, it
> > hangs and times out. In the logs you can see that the FTP user
> > authenticated, but that's all. I know this is related to IPtables
> > becuase if I totally stop iptables it works fine.
> >
> > The weird thing is that if you log in via FTP on the command line from
> > any client it works totally fine.
> >
> > Personally, I'd be happy scrapping FTP all together and just using SSH
> > tools, but there are some end users who use Windows Explorer to connect
> > to shared documents on an FTP server.
> >
> > This is an RHEL 3 machine running proFTP and the 2.4 kernel.
> >
> > Any ideas??
> >
> > Thanks,
> >
> > Sam
> >
> > On 6/13/05, Tanner Lovelace < clubjuggler at gmail.com> wrote:
> >>
> >> You could always use shorewall ( http://shorewall.net/). It's the
> >> default firewall on Mandrake Linux.
> >>
> >> Cheers,
> >> Tanner
> >>
> >> On 6/13/05, Sam Folk-Williams <sam.folkwilliams at gmail.com> wrote:
> >> > Hi,
> >> >
> >> > I was wondering if someone could post an iptables script for a web
> >> server?
> >> > IPtables is something that always gives me trouble. The services I
> >> need
> >> to
> >> > allow are httpd, fpt, ssh - more or less the standard web/admin
> >> services. I
> >> > would like to drop other traffic and allow mysql access only from
> >> localhost.
> >> > Anyone have a script they use?
> >> >
> >> > Thanks,
> >> >
> >> > Sam
> >> > --
> >> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG Organizational FAQ : http://trilug.org/faq/
> >> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >> TriLUG PGP Keyring :
> >> http://trilug.org/~chrish/trilug.asc<
> http://trilug.org/%7Echrish/trilug.asc>
> >> >
> >>
> >>
> >> --
> >> Tanner Lovelace
> >> clubjuggler at gmail dot com
> >> http://wtl.wayfarer.org/
> >> http://www.freeiPods.com/?r=8127171
> >> (fieldless) In fess two roundels in pale, a billet fesswise and an
> >> increscent, all sable.
> >> --
> >> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG Organizational FAQ : http://trilug.org/faq/
> >> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >> TriLUG PGP Keyring :
> >> http://trilug.org/~chrish/trilug.asc<
> http://trilug.org/%7Echrish/trilug.asc>
> >>
> > --
> > TriLUG mailing list :
> > http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ
> > : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
> 
> 
> 
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>



More information about the TriLUG mailing list