iptables FTP and FORWARD just doesn't like my rules - Network

This is a discussion on iptables FTP and FORWARD just doesn't like my rules - Network ; OS: Fedora Core 2 Kernel: 2.6.10 eth0 == internet eth1 == inside firewall We have a Linux firewall/router set up to allow access to set ports on our servers, like HTTP; HTTPS; etc. Everything is working correctly except passive FTP. ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: iptables FTP and FORWARD just doesn't like my rules

  1. iptables FTP and FORWARD just doesn't like my rules

    OS: Fedora Core 2
    Kernel: 2.6.10
    eth0 == internet
    eth1 == inside firewall

    We have a Linux firewall/router set up to allow access to set ports on our
    servers, like HTTP; HTTPS; etc. Everything is working correctly except
    passive FTP.

    For FTP I have the following rules....
    ....
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    ....
    /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport ftp -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport ftp -m
    state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport ftp-data -m
    state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport ftp-data -m
    state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport
    $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    ACCEPT
    /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport
    $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    ACCEPT

    Only problem is the when someone tries to use passive FTP they are dropped.
    It's like the connection tracking is not working. What am I missing?

    Thanks,
    Roger





  2. Re: iptables FTP and FORWARD just doesn't like my rules

    Le Tue, 02 Aug 2005 10:32:38 -0700, NomadPgmr a écrit*:

    > OS: Fedora Core 2
    > Kernel: 2.6.10
    > eth0 == internet
    > eth1 == inside firewall
    >
    > We have a Linux firewall/router set up to allow access to set ports on our
    > servers, like HTTP; HTTPS; etc. Everything is working correctly except
    > passive FTP.
    >
    > For FTP I have the following rules....
    > ...
    > modprobe ip_tables
    > modprobe ip_conntrack
    > modprobe ip_conntrack_ftp
    > ...
    > /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport ftp -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport ftp -m
    > state --state ESTABLISHED,RELATED -j ACCEPT
    > /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport ftp-data -m
    > state --state ESTABLISHED,RELATED -j ACCEPT
    > /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport ftp-data -m
    > state --state ESTABLISHED,RELATED -j ACCEPT
    > /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport
    > $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    > ACCEPT
    > /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport
    > $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    > ACCEPT


    Mmm, I guess you miss the high ports sym I/O rules.
    Here's what I put in some of my iptables scripts

    ### 2) Passive ftp.
    ### This involves a connection outbound from a port >1023 on the local machine, to a port >1023
    ### on the remote machine previously passed over the ftp channel via a PORT command. The
    ### ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing
    ### connection to port 21 so we don't need NEW as a state match.
    ###
    UP_PORTS="1024:65535"
    iptables -A INPUT -i ${IFACE} -p tcp --sport ${UP_PORTS} --dport ${UP_PORTS} \
    -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o ${IFACE} -p tcp --sport ${UP_PORTS} --dport ${UP_PORTS} \
    -m state --state ESTABLISHED,RELATED -j ACCEPT



  3. Re: iptables FTP and FORWARD just doesn't like my rules - appears to be resolved

    Thanks for the response.
    In my rule set UNPRIVPORTS="1024:65535"

    These two rules

    /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport
    $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    ACCEPT
    /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport
    $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    ACCEPT

    should cover what you mentioned. I also have rules similar to the above for
    input and output.

    I just found a tutorial which recommend using the following:
    /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    /sbin/iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j
    ACCEPT
    /sbin/iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    /sbin/iptables -A FORWARD -i eth1 -m state --state
    NEW,RELATED,ESTABLISHED -j ACCEPT

    These are a lot simpler so I put those rules in instead and the problem is
    now gone, go figure. Simpler is good, especially when it works.

    Thanks again for the help,
    Roger



    "Loki Harfagr" wrote in message
    news:42f0cfcd$0$6293$626a14ce@news.free.fr...
    > Le Tue, 02 Aug 2005 10:32:38 -0700, NomadPgmr a écrit :
    >
    >> OS: Fedora Core 2
    >> Kernel: 2.6.10
    >> eth0 == internet
    >> eth1 == inside firewall
    >>
    >> We have a Linux firewall/router set up to allow access to set ports on
    >> our
    >> servers, like HTTP; HTTPS; etc. Everything is working correctly except
    >> passive FTP.
    >>
    >> For FTP I have the following rules....
    >> ...
    >> modprobe ip_tables
    >> modprobe ip_conntrack
    >> modprobe ip_conntrack_ftp
    >> ...
    >> /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport ftp -m
    >> state --state NEW,ESTABLISHED -j ACCEPT
    >> /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport ftp -m
    >> state --state ESTABLISHED,RELATED -j ACCEPT
    >> /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport ftp-data -m
    >> state --state ESTABLISHED,RELATED -j ACCEPT
    >> /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport ftp-data -m
    >> state --state ESTABLISHED,RELATED -j ACCEPT
    >> /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport
    >> $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    >> ACCEPT
    >> /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport
    >> $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    >> ACCEPT

    >
    > Mmm, I guess you miss the high ports sym I/O rules.
    > Here's what I put in some of my iptables scripts
    >
    > ### 2) Passive ftp.
    > ### This involves a connection outbound from a port >1023 on the
    > local machine, to a port >1023
    > ### on the remote machine previously passed over the ftp channel via
    > a PORT command. The
    > ### ip_conntrack_ftp module recognizes the connection as RELATED to
    > the original outgoing
    > ### connection to port 21 so we don't need NEW as a state match.
    > ###
    > UP_PORTS="1024:65535"
    > iptables -A INPUT -i ${IFACE} -p tcp --sport ${UP_PORTS} --dport
    > ${UP_PORTS} \
    > -m state --state ESTABLISHED -j ACCEPT
    > iptables -A OUTPUT -o ${IFACE} -p tcp --sport ${UP_PORTS} --dport
    > ${UP_PORTS} \
    > -m state --state ESTABLISHED,RELATED -j ACCEPT
    >
    >




  4. Re: iptables FTP and FORWARD just doesn't like my rules

    Well I thouhg this was resolved, but it wasn't.
    Any suggestions would be appreciated.


    "NomadPgmr" wrote in message
    news:TPSdnUmlIf6tM3LfRVn-jQ@comcast.com...
    > OS: Fedora Core 2
    > Kernel: 2.6.10
    > eth0 == internet
    > eth1 == inside firewall
    >
    > We have a Linux firewall/router set up to allow access to set ports on our
    > servers, like HTTP; HTTPS; etc. Everything is working correctly except
    > passive FTP.
    >
    > For FTP I have the following rules....
    > ...
    > modprobe ip_tables
    > modprobe ip_conntrack
    > modprobe ip_conntrack_ftp
    > ...
    > /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport ftp -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport ftp -m
    > state --state ESTABLISHED,RELATED -j ACCEPT
    > /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport ftp-data -m
    > state --state ESTABLISHED,RELATED -j ACCEPT
    > /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport ftp-data -m
    > state --state ESTABLISHED,RELATED -j ACCEPT
    > /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport
    > $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    > ACCEPT
    > /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport
    > $UNPRIVPORTS --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j
    > ACCEPT
    >
    > Only problem is the when someone tries to use passive FTP they are
    > dropped. It's like the connection tracking is not working. What am I
    > missing?
    >
    > Thanks,
    > Roger
    >
    >
    >
    >




+ Reply to Thread