passive ftp working or not? (ipchains)

passive ftp working or not? (ipchains)

Post by Jens Grivol » Sat, 21 Aug 1999 04:00:00



Hi,

I am using ipchains 1.3.9 with with Linux 2.2.10 kernel.  I have
insmod-ed the ftp_masq (?) module which should enable ftp
masquerading.  Active ftp works (so I guess the module takes care of
allowing connections established by the server), passive ftp usually
doesn't (I only have rules allowing connections to outside ports 20
and 21, not to outside high ports).

Now today suddenly ftp did work and it seems to be passive ftp as can
be seen in the following output from netstat -M:

tcp   1:47.05 192.168.0.44    wcarchive.cdrom.com  2312 -> ftp (64577)
tcp  23:01.07 192.168.0.44    wcarchive.cdrom.com  * -> 9961 (64578)

However, at the same time my firewall logs rejected packets from
passive ftp attempts (from /var/log/kern.log):

Aug 20 15:29:00 zerberus kernel: Packet log: good-bad REJECT eth0
PROTO=6 192.168.0.44:2341 209.155.82.18:11732 L=44 S=0x00 I=36055
F=0x4000 T=127 SYN (#156)

So what is the deal?  I can't seem to recognize why some packets would
get denied while others get through.

tia,
   Jens

 
 
 

passive ftp working or not? (ipchains)

Post by Cedric Blanche » Sat, 21 Aug 1999 04:00:00




Quote:> I am using ipchains 1.3.9 with with Linux 2.2.10 kernel.  I have
> insmod-ed the ftp_masq (?) module which should enable ftp
> masquerading.  Active ftp works (so I guess the module takes care of
> allowing connections established by the server), passive ftp usually
> doesn't (I only have rules allowing connections to outside ports 20
> and 21, not to outside high ports).

ip_masq_ftp module handles active FTP sessions by reading port command
send by client to server to allow a connection from FTP server, port 20,
to FTP client, read port in port command.
When passive FTP is used, FTP client sends a passive command instead of
port command. FTP server reply to passive command with a port command,
giving a >1023 port. That means FTP client will connect FTP server from
a high port to a high port. If you filter in forward chain, ipchains
handle that behaviour by himself on a
    ipchains -A forward -s $network -p tcp -d 0/0 21 -j MASQ.
But if you filter in the input chain and don't allow TCP connections
from >1023 to >1023, passive FTP won't work.

Quote:> Now today suddenly ftp did work and it seems to be passive ftp as can
> be seen in the following output from netstat -M:

> tcp   1:47.05 192.168.0.44    wcarchive.cdrom.com  2312 -> ftp (64577)
> tcp  23:01.07 192.168.0.44    wcarchive.cdrom.com  * -> 9961 (64578)

> However, at the same time my firewall logs rejected packets from
> passive ftp attempts (from /var/log/kern.log):

> Aug 20 15:29:00 zerberus kernel: Packet log: good-bad REJECT eth0
> PROTO=6 192.168.0.44:2341 209.155.82.18:11732 L=44 S=0x00 I=36055
> F=0x4000 T=127 SYN (#156)

It's a SYN paquet form 192.168.0.44:2341 to 209.155.82.18:11732 rejected
by good-bad rule which doesn't allow TCP connections from >1023 to >1023
as you mentionned it before.

 
 
 

1. Passive FTP not working with iptables

I have a Windows box running an ftp server behind a nat box running RH7.2.
Ports 20 and 21 are forwarded into the Win box. I've looked all over Google
and Google Groups for quite some time, and I've been unable to setup
iptables so that PASV requests coming _into_ my Win box work correctly.
Active mode clients work fine.

I load the ip_conntrack_ftp and ip_nat_ftp modules at boot and both ftp
modes work fine outgoing. What iptables setup should I use apart from
forwarding all incoming ports to the Win box? (that would defeat the purpose
of the nat box)

--
ethanT
http://eplanet.cjb.net
aim: courtarro
(fix spam block before sending email)

2. setting default path

3. ipchains for passive-mode FTP

4. Solaris 2.3 => 2.4 upgrade

5. passive ftp through ipchains(firewall)

6. Printing Problems

7. Passive FTP and ipchains

8. Prestoserve

9. ipchains and ftp passive mode

10. MASQ/DNS/passive ftp and ipchains rules.

11. ipchains : ftp does not work from dos prompt

12. FTP not working w/ipchains, help desperately needed

13. FTP does not work with ipchains masquerading (Firewall)