Gentoo Forums :: View topic - ProFTPd + iptables (again!)

ProFTPd + iptables (again!)

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

KaterGonzo
Apprentice

Joined: 01 Apr 2004
Posts: 155

Posted: Mon Feb 18, 2013 10:00 am Post subject: ProFTPd + iptables (again!)

Sorry for my question but I've been searching for some days to resolve my problem. The hints in this forum don't help.

I'm trying to get proftpd working with iptables. If I disable iptables, I can establish a FTP-connection. So the problem depends on the iptables configuration.

I found in the iptables log informations about the destination port so I added these into my iptables config. Without success.

Here the necessary informations about my system:

Code:

*
*
* Generel
*
*
# uname -a
Linux websrv-gentoo-PD945 2.6.34-gentoo-r6 #7 SMP Mon Dec 13 18:57:54 CET 2010 x86_64 Intel(R) Pentium(R) D CPU 3.40GHz GenuineIntel GNU/Linux

# proftpd --version
ProFTPD Version 1.3.3g

*
*
* ProFTP
*
*
# cat /etc/proftpd/proftpd.conf
ServerName "Something hiereds"
ServerType standalone
DefaultServer on
RequireValidShell off
AuthPAM off
AuthPAMConfig ftp
# Port 21 is the standard FTP port.
Port 21

# Passive Ports
PassivePorts 49152 65534

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

MaxInstances 30

# Set the user and group under which the server will run.
User ftp
Group ftp

# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>

# User im Home-Verzeichnis einsperren!
DefaultRoot ~

# --------------------------------------------
# Post-Login, Timeouts
# --------------------------------------------

TimeoutIdle 1200 # Inaktivitaet
TimeoutNoTransfer 3600 # keine Datenuebertragung (Listing, File, ...)
TimeoutStalled 300 # haengende Datenuebertragung
TimeoutSession 7200 # Gesamtdauer einer Session

UseReverseDNS off

*
*
* IPTABLES
*
*
websrv-gentoo-PD945 # iptables -A INPUT -p tcp --destination-port 49152:65534 -j ACCEPT
websrv-gentoo-PD945 # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere limit: avg 1/sec burst 5 tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/RST
ACCEPT tcp -- anywhere anywhere limit: avg 1/sec burst 5 tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/FIN
ACCEPT tcp -- anywhere anywhere limit: avg 1/sec burst 5 tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/SYN
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:svn
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:ftp
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:smtp
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:rsync
LOGDROP all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpts:49152:65534

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain LOGDROP (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `{fw}'
DROP all -- anywhere anywhere

*
*
* IPTABLES ERROR LOG
*
*
# tail -f /var/log/iptables.log
Feb 18 10:47:36 websrv-gentoo-PD945 kernel: {fw}IN=eth0 OUT= MAC=00:15:58:16:30:f3:64:16:8d:24:fc:21:08:00 SRC=146.52.181.192 DST=212.68.70.7 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=24897 DF PROTO=TCP SPT=53983 DPT=49862 WINDOW=8192 RES=0x00 SYN URGP=0

*
*
* KERNEL (only active modules)
*
*
#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STRING=y

#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_TFTP=m

*
*
*
* Emerge --info
*
*
# emerge --info

Portage 2.1.11.9 (default/linux/amd64/10.0/server, gcc-4.4.3, glibc-2.15-r2, 2.6.34-gentoo-r6 x86_64)
=================================================================
System uname: Linux-2.6.34-gentoo-r6-x86_64-Intel-R-_Pentium-R-_D_CPU_3.40GHz-with-gentoo-2.1
Timestamp of tree: Sat, 16 Feb 2013 03:30:01 +0000
app-shells/bash: 4.2_p37
dev-lang/python: 2.4.4-r6::<unknown repository>, 2.5.4-r2, 2.6.8, 2.7.3-r2, 3.1.2-r4, 3.2.3
dev-util/cmake: 2.8.1-r2
dev-util/pkgconfig: 0.27
sys-apps/baselayout: 2.1-r1
sys-apps/openrc: 0.9.8.4
sys-apps/sandbox: 2.5
sys-devel/autoconf: 2.13::<unknown repository>, 2.68
sys-devel/automake: 1.4_p6::<unknown repository>, 1.5::<unknown repository>, 1.6.3::<unknown repository>, 1.7.9-r1::<unknown repository>, 1.8.5-r3::<unknown repository>, 1.9.6-r2::<unknown repository>, 1.10.2, 1.11.6
sys-devel/binutils: 2.22-r1
sys-devel/gcc: 3.4.3-r1::<unknown repository>, 4.1.2, 4.3.4, 4.4.3-r2, 4.5.4
sys-devel/gcc-config: 1.7.3
sys-devel/libtool: 2.4-r1
sys-devel/make: 3.82-r3
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)
sys-libs/glibc: 2.15-r2
Repositories: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://ftp6.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp6.uni-muenster.de/pub/linux/distributions/gentoo http://lug.mtu.edu/gentoo/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl acpi amd64 apache2 berkdb bzip2 cdr cgi cli command-args cracklib crypt ctype curl cxx digest dri dvd filter fortran freetype gd gdbm gif gpm iconv ipv6 jpeg json latin1 lzw mmx modules mudflap multilib mysql ncurses nls nptl openmp pam pcre php png readline session snmp soap sse sse2 ssl tcpd threads tiff truetype truetype2 unicode vhosts xml zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias auth_digest" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Last edited by KaterGonzo on Mon Feb 18, 2013 12:20 pm; edited 1 time in total

bbgermany
Veteran
Veteran

Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany

Posted: Mon Feb 18, 2013 12:08 pm Post subject:

Hi,

since the conn is RELATED to ftp/ftp-data port, you should change the line

Code:

ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED

that it will look more like

Code:

ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED,RELATED

bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

KaterGonzo
Apprentice

Joined: 01 Apr 2004
Posts: 155

Posted: Mon Feb 18, 2013 12:31 pm Post subject:

I corrected this line... Thank you very much! Now it work's!

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy