View previous topic :: View next topic |
Author |
Message |
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Fri Jul 18, 2014 3:08 pm Post subject: [solved] allow passive ftp as a client with ip-tables |
|
|
Grr, Code: | wget --passive-ftp ftp://mirrors.dotsrc.org/kde/stable/4.13.3/src/kwalletmanager-4.13.3.tar.xz | doesn't work due to my restrictive firewall rules http://bpaste.net/show/475272/ -but all examples I read till now to allow passive ftp are either for servers and/or do not work hre (current 3.15 kernel) - any hints/help is appreciated.
Last edited by toralf on Sat Jul 19, 2014 9:22 am; edited 1 time in total |
|
Back to top |
|
|
skaloo n00b
Joined: 18 Jul 2014 Posts: 21
|
Posted: Fri Jul 18, 2014 6:26 pm Post subject: |
|
|
From a client point-of-view, passive FTP requires opening 2 different connections to the FTP server (that's output, not input), one to the normal FTP port (21) the other one to a randomly opened port on the server (>1023) that you can't know in advance (unless you control the server) (this 2nd port is sent to the client in the FTP protocol and is 'allocated' per client when initiating the passive mode). Those are only OUTPUTS, and I see your rules accept ESTABLISHED so no need to add anything in INPUT. What you need is to allow both outputs. Something like that should work:
iptables -A OUTPUT -p tcp --dport 21 -d <server_ip> -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1024:65536 -d <server_ip> -j ACCEPT
Obviously if you want to connect to many FTP servers that may become a problem in terms of number of rules to add, and omitting the server IP would simply open almost all OUTPUTs which is obviously not what you want, though that points out why most people don't bother too much with OUTPUT filtering :p
Hope that helped.
PS: wikipedia and other sources have decent informations about protocols, you'd have found how passive FTP works there. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Fri Jul 18, 2014 11:25 pm Post subject: |
|
|
Hhm, the server ip address I do not know (to much) and yes, I do not want to open too much output ports, therefore I hoped to have with the help of ip_conntrack_ftp module a somehow "smart" solution.
Well - ok, I've to look around which solution I'd like to have. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sat Jul 19, 2014 1:33 am Post subject: |
|
|
toralf ...
cutting and pasting this from an old script for ingress/egress filtering, it should provide some idea of whats required. I wrote this some time ago, and so before '--state' became '--ctstate' so you will need to adjust this.
Also, this might be of interest.
Code: | iface="eth0"
unprivports="1024:65535"
/sbin/modprobe ip_conntrack_ftp ports=20,21,8021 fxp=1 2>&1
# Allow ftp outbound.
iptables -A INPUT -i $iface -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $iface -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# ftp connection tracking
# active ftp
iptables -A INPUT -i $iface -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $iface -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# passive ftp
iptables -A INPUT -i $iface -p tcp --sport $unprivports --dport $unprivports \
-m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $iface -p tcp --sport $unprivports --dport $unprivports \
-m state --state ESTABLISHED,RELATED -j ACCEPT |
HTH & best ... khay |
|
Back to top |
|
|
skaloo n00b
Joined: 18 Jul 2014 Posts: 21
|
Posted: Sat Jul 19, 2014 7:15 am Post subject: |
|
|
Yeah, it is possible that using the conntrack_ftp module helps identifying the data connections for a client connection too (sorry don't have time to check on that today), the RELATED state should suffice then, and you already have the rules for it in OUTPUT and INPUT, so it probably is only about loading the module, possibly with the right options, as you can see in khayyam's script above.
Note: your script uses some old syntax, you might want to check on the proper new one also, unless your linux version is actualy old (name of the module, possibly different support of old/new syntax, ...) |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Sat Jul 19, 2014 9:02 am Post subject: |
|
|
Thx for your hints, what eventually helped, was this : Code: | echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper | pfff... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|