[solved] allow passive ftp as a client with ip-tables

toralf · Last edited by toralf on Sat Jul 19, 2014 9:22 am; edited 1 time in total

Grr,

skaloo · n00b Joined: 18 Jul 2014 Posts: 21

From a client point-of-view, passive FTP requires opening 2 different connections to the FTP server (that's output, not input), one to the normal FTP port (21) the other one to a randomly opened port on the server (>1023) that you can't know in advance (unless you control the server) (this 2nd port is sent to the client in the FTP protocol and is 'allocated' per client when initiating the passive mode). Those are only OUTPUTS, and I see your rules accept ESTABLISHED so no need to add anything in INPUT. What you need is to allow both outputs. Something like that should work:
iptables -A OUTPUT -p tcp --dport 21 -d <server_ip> -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1024:65536 -d <server_ip> -j ACCEPT

Obviously if you want to connect to many FTP servers that may become a problem in terms of number of rules to add, and omitting the server IP would simply open almost all OUTPUTs which is obviously not what you want, though that points out why most people don't bother too much with OUTPUT filtering :p

Hope that helped.

PS: wikipedia and other sources have decent informations about protocols, you'd have found how passive FTP works there.

toralf · Posted: Fri Jul 18, 2014 11:25 pm Post subject:

Hhm, the server ip address I do not know (to much) and yes, I do not want to open too much output ports, therefore I hoped to have with the help of ip_conntrack_ftp module a somehow "smart" solution.

Well - ok, I've to look around which solution I'd like to have.

khayyam · Posted: Sat Jul 19, 2014 1:33 am Post subject:

toralf ...

cutting and pasting this from an old script for ingress/egress filtering, it should provide some idea of whats required. I wrote this some time ago, and so before '--state' became '--ctstate' so you will need to adjust this.

Also, this might be of interest.

skaloo · n00b Joined: 18 Jul 2014 Posts: 21

Yeah, it is possible that using the conntrack_ftp module helps identifying the data connections for a client connection too (sorry don't have time to check on that today), the RELATED state should suffice then, and you already have the rules for it in OUTPUT and INPUT, so it probably is only about loading the module, possibly with the right options, as you can see in khayyam's script above.

Note: your script uses some old syntax, you might want to check on the proper new one also, unless your linux version is actualy old (name of the module, possibly different support of old/new syntax, ...)

toralf · Posted: Sat Jul 19, 2014 9:02 am Post subject:

Thx for your hints, what eventually helped, was this :