iptables question for the experts

Ben Scott dragonhawk at gmail.com
Tue Jul 18 07:10:01 EDT 2006 

On 7/17/06, Dan Coutu <coutu at snowy-owl.com> wrote:
> I am expecting that following line opens traffic to the remote server on
> whatever port passive mode ftp chooses to use:

  Are these iptables rules on the FTP client, or the FTP server?

  I will assume the FTP server.  I'll also assume 64.39.2.176 is the
IP address of the FTP client.

  You will need two rules on the FTP server:

iptables -A INPUT -s 64.39.2.176 -p tcp --dport ftp -j ACCEPT
iptables -A INPUT -s 64.39.2.176 -m state --state ESTABLISHED,RELATED -j ACCEPT

  In the above, the first rule allows your FTP client to open
connections to the FTP server on the port reserved for the FTP control
channel (TCP/21).  The second rule allows any traffic which is (1)
part of an already-established session or (2) related to an
already-established session.  "Session" is a magic word implemented by
the various "conntrack" modules.  In this case, that will be all the
rest of the FTP traffic.

> I am expecting that following line opens traffic to the remote server on
> whatever port passive mode ftp chooses to use:
>
> -A INPUT -s 64.39.2.176 -p tcp -m tcp --sport 1:65535 --dport 1:65535 -m \
> state --state ESTABLISHED -j ACCEPT

  Your expectations are wrong.  ;-)

  First, not specifying a port does the same thing as specifying a
range of 1:65535 (but not specifying a port might be more efficient).
So we can rewrite that as:

-A INPUT -s 64.39.2.176 -p tcp -m state --state ESTABLISHED -j ACCEPT

  The above just allows packets which are part of already-established
sessions through.  It is generally used when your rule sets are very
specific about initial connection attempts.  This isn't one of those.
:)  In particular, the FTP data channel is not considered an
"established" session, but a "related" one.  See above.

> The next line immediately follows it in the iptables config file and it
> allows basic ftp traffic in the first place.
>
> -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

  The FTP control channel will come from an ephemeral source port.
The *destination* port will be 21.

  Further, since you specify ESTABLISHED, that rule will only apply to
sessions which are *already* connected.  There's nothing to allow
initial connects in the first place.

> When I use wget to test the fetch operation I see it establish a
> connection successfully, go into passive mode, and time out.

  If wget is actually making a successful control connection to the
FTP server, I'd remove your two FTP rules, and try again.  It may
behave the same.  Your firewall may be not be doing what you think it
is doing.

-- Ben

More information about the gnhlug-discuss mailing list