View previous topic :: View next topic |
Author |
Message |
solarium_rider Tux's lil' helper
Joined: 23 Jun 2003 Posts: 88 Location: San Francisco
|
Posted: Thu Jul 31, 2003 1:18 am Post subject: iptables+ftp+nonstandard port |
|
|
Having problems getting iptables to work correctly with connection tracking and ftp on a nonstandard port. No nat involved (on server side anyways).
so i follow the same format as the iptables posted on the gentoo security guide: http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap6
and my code looks like this:
Code: |
einfo "Creating incoming ftp traffic chain"
/sbin/iptables -N allow-ftp-traffic-in
/sbin/iptables -F allow-ftp-traffic-in
/sbin/iptables -A allow-ftp-traffic-in -i eth0 -p tcp --dport 7000 -j ACCEPT
#passive rule
/sbin/iptables -A allow-ftp-traffic-in -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
then i add that chain later like this:
Code: | # Apply and add invalid states to the chains
einfo "Applying chains to INPUT"
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
#/sbin/iptables -A INPUT -j icmp_allowed
#/sbin/iptables -A INPUT -j check-flags
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -j allow-ssh-traffic-in
/sbin/iptables -A INPUT -j allow-http-traffic-in
/sbin/iptables -A INPUT -j allow-ftp-traffic-in
/sbin/iptables -A INPUT -j allowed-connection
|
so basically i'm running it on port 7000, then i want to accept passive connections on all ports about 1023. It's not using ip_conntrack_ftp though i have it compiled as a module. I tried loading it with modprobe and it didn't make a difference.
So i can connect to the server, but when i try to list (and thus use passive mode) it doesn't work.
Thanks,
-Chris |
|
Back to top |
|
|
puddpunk l33t
Joined: 20 Jul 2002 Posts: 681 Location: New Zealand
|
Posted: Thu Jul 31, 2003 1:56 am Post subject: Re: iptables+ftp+nonstandard port |
|
|
solarium_rider wrote: | Code: |
einfo "Creating incoming ftp traffic chain"
/sbin/iptables -N allow-ftp-traffic-in
/sbin/iptables -F allow-ftp-traffic-in
/sbin/iptables -A allow-ftp-traffic-in -i eth0 -p tcp --dport 7000 -j ACCEPT
#passive rule
/sbin/iptables -A allow-ftp-traffic-in -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
Hey mate,
IANAIE (I am not an IPTables Expert ) but If you want to use connection tracking, instead of loading the module state (-m state) you load the module "conntrack" (-m conntrack). And then, instead of passing --state, you pass --ctstate. So the last line might look something like this:
Code: | /sbin/iptables -A allow-ftp-traffic-in -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
I have to admit that I don't understand the connection tracking module completely, nor do I fully understand what your trying to do with it, but that was something I remember tripping me up in my little experiment with conntrack.
Hope that helps,
Chris. |
|
Back to top |
|
|
solarium_rider Tux's lil' helper
Joined: 23 Jun 2003 Posts: 88 Location: San Francisco
|
Posted: Thu Jul 31, 2003 2:13 am Post subject: |
|
|
Okay, i'm think i'm headed towards the right track. I tried your suggestion, but it still didn't work. I'm still open to suggestions.
-chris |
|
Back to top |
|
|
69link n00b
Joined: 18 Apr 2003 Posts: 53 Location: Sweden
|
Posted: Thu Jul 31, 2003 7:01 am Post subject: |
|
|
Maybe these lines would do the trick?
modprobe ip_conntrack
modprobe ip_conntrack_ftp ports=21,7000
modprobe ip_nat_ftp ports=21,7000
You can get alot of ideas by looking at the firewallscript at: http://www.kurd.nu/ |
|
Back to top |
|
|
solarium_rider Tux's lil' helper
Joined: 23 Jun 2003 Posts: 88 Location: San Francisco
|
Posted: Thu Jul 31, 2003 8:22 am Post subject: |
|
|
I added Code: | modprobe ip_conntrack_ftp ports=7000 | and that seemed to do the trick. Thanks,
-Chris |
|
Back to top |
|
|
|