Comments on: Iptables Connection Tracking - FTP

By: Marcello Fontolan

Marcello Fontolan — Sat, 09 Jun 2007 13:53:05 +0000

There is no problem for me with external connections to my server but trying configure a very closed internal network, with all ports close except the necessary ones, FTP does not work.
I try create special rules to handle FTP but the download does not starts.
Any help???

(CLIENTS is a FORWARD chain)
-A CLIENTS -p tcp -m tcp -m multiport -s 192.168.0.0/16 –dports 21,443,1863 -j ACCEPT
-A CLIENTS -p tcp -m tcp -m multiport -d 192.168.0.0/16 –sports 21,443,1863 -j ACCEPT
-A CLIENTS -p tcp -m tcp -m state -s 192.168.0.0/16 –dport 20 –state ESTABLISHED -j ACCEPT
-A CLIENTS -p tcp -m tcp -m state -d 192.168.0.0/16 –sport 20 –state ESTABLISHED,RELATED -j ACCEPT

By: Nathan Eady

Nathan Eady — Thu, 17 May 2007 16:45:11 +0000

That passive ftp rule scares me as well. It just feels too general, like it allows (potentially) more than I really need to allow. I know it’s the client making the connection out, and I understand that RELATED means *something* that’s allowed has indicated it, but I would really feel much better about it if I could say something along the lines of -m state –state RELATED -m relatedto –relatedto ftp (with a separate rule for ESTABLISHED traffic).

I know, call me paranoid, but isn’t it the network administrator’s *job* to be paranoid about such things?

By: Chris Cruft » Blog Archive » More FTP failure investigation

Chris Cruft » Blog Archive » More FTP failure investigation — Sat, 28 Oct 2006 22:19:58 +0000

[...] http://www.sns.ias.edu/~jns/wp/2006/01/24/iptables-how-does-it-work/?p=20 [...]

By: Paul Rogers

Paul Rogers — Sun, 13 Aug 2006 05:31:14 +0000

I was using your rules for ftp, active mode, and did a simple “ls”, causing the following:
Aug 12 12:53:35 panda kernel: firewall: IN=eth0 OUT= MAC=00:a0:24:0e:48:8e:00:10:5a:09:5e:45:08:00 SRC=64.50.236.52 DST=192.168.1.110 LEN=60 TOS=0×00 PREC=0×00 TTL=54 ID=65353 DF PROTO=TCP SPT=60683 DPT=1042 WINDOW=5840 RES=0×00 SYN URGP=0

I found adding RELATED to the INPUT for the ephemeral ports fixed it, but I’m not too happy about it. It would seem to open up ports which might be used by other connections, say bad websites. (Yep, it’s related to the connection on port 80, let it through.) I’m wondering if the ftp connections could use conntrack marks to separate them from everything else that might try to use the ephemeral ports and should be dropped.

By: David Gabel

David Gabel — Mon, 15 May 2006 14:15:15 +0000

One more note here: To put it on a firewall with NAT you have to add all these rule also to the FORWARD chain.

By: James Stephens

James Stephens — Sat, 25 Mar 2006 20:19:10 +0000

Hello.

All you have to do is swap INPUT for OUTPUT and vice versa in the above rules for the case where the ftp server is local.

Best,
James

By: FNC

FNC — Sat, 25 Mar 2006 10:46:21 +0000

I believe this rules apply to a client trying to ftp an external server.
What would be the rules for the opposite case? I’m running an FTP server and firewall is dropping the passive connetion data packets…

By: James Stephens

James Stephens — Wed, 22 Feb 2006 11:00:56 +0000

Jarry,

You’re absolutely right. I missed off a : there. At least it was correct it was correct in the downloadable ruleset.

It should be — sport etc like you say. The html formatting is making two dashes together look like one. I managed to tweak it to get a longer dash and I hope people will realise it is meant to be two …. c’est la vie.

Thanks very much for picking up on these things.

Best,

James

By: Jarry

Jarry — Wed, 22 Feb 2006 08:57:35 +0000

In passive-ftp connection tracking rules you have small error:

instead of
iptables -A OUTPUT -p tcp –sport 1024: –dport 1024 -m state –state ESTABLISHED,RELATED -j ACCEPT

there should be (I think)
iptables -A OUTPUT -p tcp –sport 1024: –dport 1024: -m state –state ESTABLISHED,RELATED -j ACCEPT

Otherwise only single dport 1024 would be valid. BTW, I’m not sure, but should not it be –dport / –sport / –state? With double “–”, not single “-”…