Fixed it!
For information... I had the following rules iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j ACCEPT iptables -A INPUT -p tcp -s <ftp client> --dport ftp-data -j ACCEPT iptables -A INPUT -p tcp -s <ftp client> -m state --state RELATED -j ACCEPT but PASSIVE FTP wasn't working. Many packet dumps later, I realised the problem was that the RELATED flag is only valid for the first packet. Hence ACTIVE FTP worked ok, but PASSIVE FTP didn't because no subsequent packets were allowed through the firewall. The solution was the following: iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j ACCEPT iptables -A INPUT -p tcp -s <ftp client> -m state --state RELATED,ESTABLISHED -j ACCEPT The first rule allows the FTP Control channel connection. The second rule allows the SYN packet of the FTP Data channel (via the RELATED flag), then all subsequent packets (which are part of an ESTABLISHED connection). Regards, Matt > -----Original Message----- > From: Matt Cooling > Sent: 13 March 2002 2:41 PM > To: [EMAIL PROTECTED] > Subject: RE: FTP server firewall rules > > > Thanks for the link. However, I already understand fully how > the different FTP modes work. My problem lies with the > iptables configuration required to implement this. I've tried > using the RELATED rule below, but this doesn't seem to work. > > Do you know of any articles which detail how to allow > incoming FTP connections, as opposed to allowing outgoing > connections? Alternatively, can you see any problems with my > original configuration. > > Thanks, > > Matt > > > > -----Original Message----- > > From: Joffer [mailto:[EMAIL PROTECTED]] > > Sent: 12 March 2002 8:20 PM > > To: Matt Cooling; [EMAIL PROTECTED] > > Subject: Re: FTP server firewall rules > > > > > > for somehow this msg just wouldn't add '>' to the text so > > I'll be answering here instead, so I won't confuse myself > or you ppl. > > > > I considder Active FTP a security threat, since it involves > > opening tcp port 20 inbound on the firewall, since the > > ftp-server is initiating the connection for the ftp-data. > > > > I recommend you read this document about Active FTP Vs > > Passive FTP, and use Passive FTP. > > http://www.slacksite.com/other/ftp.html > > > > If you trail that document opening (and closing everything > > else) you should fix it just fine. > > > > /Christopher Thorjussen > > > > > > ----- Original Message ----- > > From: "Matt Cooling" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, March 12, 2002 5:23 PM > > Subject: FTP server firewall rules > > > > > > I'm running a webserver, which I have secured with iptables > > as follows: > > > > Chain INPUT (policy DROP) > > target prot opt source destination > > ACCEPT tcp -- <internal gateway> anywhere > > tcp dpt:ssh > > ACCEPT tcp -- anywhere anywhere > > tcp dpt:http > > ACCEPT udp -- <dns server> anywhere udp > > spt:domain > > > > I now want to give FTP access to specific IP addresses for > > uploading content. I started using the following rules: > > > > iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j > > ACCEPT iptables -A INPUT -p tcp -s <ftp client> --dport > > ftp-data -j ACCEPT > > > > which allows ACTIVE FTP to work properly. However, I also > > want to allow PASSIVE FTP, which I assumed would require the > > following rule: > > > > iptables -A INPUT -p tcp -s <ftp client> -m state --state > > RELATED -j ACCEPT > > > > Unfortunately this doesn't seem to work. I've checked that > > the module is > > loaded: > > > > [root@testbox root]# cat /proc/modules > > ip_conntrack_ftp 4096 0 (unused) > > ipt_state 1152 1 (autoclean) > > ip_conntrack 17068 2 (autoclean) [ip_conntrack_ftp > > ipt_state] > > ... > > iptable_filter 2272 0 (autoclean) (unused) > > ip_tables 11424 2 [ipt_state iptable_filter] > > ... > > > > I've reviewed some articles on the Intenet; however, these > > are generally oriented to protecting a box. Have I missed > > something basic, or should this work? > > > > Thanks in advance, > > > > Matt > > > > > > > > > > > > > >
