I was curious about that too!
I'm not sure, but I think the option '--state' will do the trick.
Here's what iptables-manual said about it:
state
This module, when combined with connection tracking, allows
access to the connection tracking state for this
packet.
--state state
Where state is a comma separated list of the connection
states to match. Possible states are INVALID
meaning that the packet could not be identified for some
reason which includes running out of memory
and ICMP errors which don't correspond to any known
connection, ESTABLISHED meaning that the packet
is associated with a connection which has seen packets
in both directions, NEW meaning that the
packet has started a new connection, or otherwise
associated with a connection which has not seen
packets in both directions, and RELATED meaning that the
packet is starting a new connection, but is
associated with an existing connection, such as an FTP
data transfer, or an ICMP error.
So apparently, there has to be something with 'connection tracking'.
--
Geert Janssens wrote:
Peter-Paul,
Thank you for the update. As I said, I didn't know.
In our specific case, it doesn't matter whether or not iptables is capable of
it. Our ftp server negociates TLS before any data connection is setup. By
definition, the secured TLS connection can't be tracked, so the firewall has
no idea which port to open. As a result we implemented a solution that opens
a limited range of harmless ports in order to get ftps working.
I am curious in general though, does iptables perform this statefull packet
inspection by default, or is there some configuration required for it ?
Regards,
Geert
On Tuesday 29 August 2006 15:31, Peter-Paul wrote:
One humble remark: (as reply to Geert),
IPTables, is infact 'that smart' to recognize passive ftp initiations.
IPTables is able to do Stateful packet inspection.
(I quote): "This means that the firewall keeps track of each connection
passing through it and in certain cases will view the contents of data
flows in an attempt to anticipate the next action of certain protocols.
This is an important feature in the support of active FTP and DNS, as
well as many other network services."
--
Geert Janssens wrote:
On Tuesday 29 August 2006 14:37, Eric Dunbar wrote:
I think I've got the basics down (allow/deny ports/protocol/single IP
address), but, frankly, I don't think my server is any more secure
than it was before (at the moment, that is).
I already had a router in front of the server and until recently it
only redirected requests (a few ports, including 80 and 443) to apache
on the server (now also port 21).
You may need to redirect more ports for ftp, depending on the type of ftp
you will allow (active of passive). Port 21 is the control channel for
ftp. It is used (among others) to negociate which port to use for the
datachannel. This is usually a random, unused port above 1024. Your
firewall will have to open this port somehow as well.
I believe with passive ftp, this data port should be open on the server as
the client will try to connect to that port, while with active ftp, it's
the server trying to connect to the data port on the client.
Some firewalls are 'ftp-aware' meaning they monitor ftp connections to the
control port (21), in order to sniff out the future data port, and open it
dynamically. I could be wrong, but I don't think iptables is that smart.
You can google for it.
If not, you can try if active ftp suits your needs (this means, your
client hosts and their firewalls are capable of it). In the worst case,
you will have to figure out if vsftpd has a way to configure which ports
can be set for passive ftp, so you can open a limited range via iptables.
I don't know of vsftpd can do this. I'm using proftpd here (on fedora),
and that one has this option.
I guess now I've blocked access to one IP (though, it's easy to change
IPs if you're not static) but I couldn't figure out how to specify a
range for the IP "source address or network" using trial and error in
WebMin (it didn't like "192.1.1.*" or "192.1.1.1-192.1.1.5" or
"192.1.1."). The man page for iptables didn't help me figure out the
formatting either (I'm not sure whether this is indeed the option that
will allow me to specify a range of IPs or my own little network
(192.168.0.*):
A range would be specified as 192.1.1.0/24 or 192.1.1.0/255.255.255.0
(instead of 192.1.1.*). Similarly your own little network would become
192.168.0.0/24 or 192.168.0.0/255.255.255.0.
The /xx indicates the number of 1 bits in your network mask. So a
networkmask of 255.255.255.0 translates into 24, 255.255.0.0 would be 16,
255.255.255.255 would be 32 and so on.
Hopefully this helps you along with the network range specifications for
iptables.
Regards,
Geert
_______________________________________________
yellowdog-general mailing list
[email protected]
http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com'
_______________________________________________
yellowdog-general mailing list
[email protected]
http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com'
_______________________________________________
yellowdog-general mailing list
[email protected]
http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com'
|
