iptables question for the experts
Steven W. Orr
steveo at syslang.net
Tue Jul 18 12:33:01 EDT 2006
On Tuesday, Jul 18th 2006 at 07:09 -0400, quoth Ben Scott:
=>On 7/17/06, Dan Coutu <coutu at snowy-owl.com> wrote:
=>> I am expecting that following line opens traffic to the remote server on
=>> whatever port passive mode ftp chooses to use:
=>
=> Are these iptables rules on the FTP client, or the FTP server?
=>
=> I will assume the FTP server. I'll also assume 64.39.2.176 is the
=>IP address of the FTP client.
=>
=> You will need two rules on the FTP server:
=>
=>iptables -A INPUT -s 64.39.2.176 -p tcp --dport ftp -j ACCEPT
=>iptables -A INPUT -s 64.39.2.176 -m state --state ESTABLISHED,RELATED -j
=>ACCEPT
=>
=> In the above, the first rule allows your FTP client to open
=>connections to the FTP server on the port reserved for the FTP control
=>channel (TCP/21). The second rule allows any traffic which is (1)
=>part of an already-established session or (2) related to an
=>already-established session. "Session" is a magic word implemented by
=>the various "conntrack" modules. In this case, that will be all the
=>rest of the FTP traffic.
=>
=>> I am expecting that following line opens traffic to the remote server on
=>> whatever port passive mode ftp chooses to use:
=>>
=>> -A INPUT -s 64.39.2.176 -p tcp -m tcp --sport 1:65535 --dport 1:65535 -m \
=>> state --state ESTABLISHED -j ACCEPT
=>
=> Your expectations are wrong. ;-)
=>
=> First, not specifying a port does the same thing as specifying a
=>range of 1:65535 (but not specifying a port might be more efficient).
=>So we can rewrite that as:
=>
=>-A INPUT -s 64.39.2.176 -p tcp -m state --state ESTABLISHED -j ACCEPT
=>
=> The above just allows packets which are part of already-established
=>sessions through. It is generally used when your rule sets are very
=>specific about initial connection attempts. This isn't one of those.
=>:) In particular, the FTP data channel is not considered an
=>"established" session, but a "related" one. See above.
=>
=>> The next line immediately follows it in the iptables config file and it
=>> allows basic ftp traffic in the first place.
=>>
=>> -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
=>
=> The FTP control channel will come from an ephemeral source port.
=>The *destination* port will be 21.
=>
=> Further, since you specify ESTABLISHED, that rule will only apply to
=>sessions which are *already* connected. There's nothing to allow
=>initial connects in the first place.
=>
=>> When I use wget to test the fetch operation I see it establish a
=>> connection successfully, go into passive mode, and time out.
=>
=> If wget is actually making a successful control connection to the
=>FTP server, I'd remove your two FTP rules, and try again. It may
=>behave the same. Your firewall may be not be doing what you think it
=>is doing.
=>
=>-- Ben
Also, don't you need to have ip_conntrack loaded to deal with ftp?x
More information about the gnhlug-discuss
mailing list