IPTables rule for non-passive FTP data ports?

IPTables rule for non-passive FTP data ports?

Post by Mairhtin O'Feanna » Sun, 09 Mar 2003 10:40:15



Hello,

We have a small office running a lan with the usual masquerading and
forwarding that allows us to use 10.0.0.1/8 as our LAN, and a single IP as
the router outbound interface.  The router is the Linux Firewall box, and
all the traffic *APPEARS* to be handled correctly, web pages and the like.  
But one user needs access to an FTP server that requires non-passive FTP.

Can someone tell me how to set up a rule that will allow all of the random
data ports that FTP uses for things like " ls -al " and the like?  FTP does
a PORT command to establish this sort of thing, from what I remember, but
it's totally random if I recall.  *scratching head*.  I don't want to
defeat the purpose of the firewall by just allowing oodles of ports to
willy-nilly be ACCEPTed.  

And please, if you write, could you copy under email to irishboy at
Imadethis dot com?  I'd really appreciate it. !!!!

Mairhtin O'Feannag

 
 
 

IPTables rule for non-passive FTP data ports?

Post by Jeremy Gra » Sun, 09 Mar 2003 11:56:28



> Can someone tell me how to set up a rule that will allow all of the random
> data ports that FTP uses for things like " ls -al " and the like?  FTP does
> a PORT command to establish this sort of thing, from what I remember, but
> it's totally random if I recall.  *scratching head*.  I don't want to
> defeat the purpose of the firewall by just allowing oodles of ports to
> willy-nilly be ACCEPTed.  

Google for "iptables active ftp".

--
Jeremy A. Gray

"Remember the Pueblo." -- the Fourth Law of Marvin

 
 
 

IPTables rule for non-passive FTP data ports?

Post by Stephen Webste » Sun, 09 Mar 2003 13:13:37



> Can someone tell me how to set up a rule that will allow all of the random
> data ports that FTP uses for things like " ls -al " and the like?  FTP does
> a PORT command to establish this sort of thing, from what I remember, but
> it's totally random if I recall.  *scratching head*.  I don't want to
> defeat the purpose of the firewall by just allowing oodles of ports to
> willy-nilly be ACCEPTed.  

Try the following:
<http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html>

There's stuff there about active and passive ftp...

--
Steve Webster
Remove the 'nospam' to get my email address.

 
 
 

IPTables rule for non-passive FTP data ports?

Post by Andreas Muelle » Sun, 09 Mar 2003 23:21:14


Hi,
if i understood your prob right, try ..

## FTP
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
# active
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT

you can add source and destination to these lines to define your user and
the ftp-server ...

ReadU
Andi

 
 
 

IPTables rule for non-passive FTP data ports?

Post by Allen Kistle » Mon, 10 Mar 2003 20:28:39



> Hi,
> if i understood your prob right, try ..

> ## FTP
> iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
> ACCEPT
> iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
> # active
> iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
> ACCEPT

> you can add source and destination to these lines to define your user and
> the ftp-server ...

If your Linux box is a firewall to an office LAN, you should enter the
rule in the FORWARD chain, not INPUT and OUTPUT.  Also, you only need to
add a rule to allow source port 20 in if it's RELATED.

-A FORWARD -p tcp -m tcp --sport 20 -m state --state RELATED -j ACCEPT

Also add a line in /etc/modules.conf:

add above iptable_nat ip_nat_ftp

 
 
 

1. ftp server iptables rules for passive ftp

Hello assembled c.o.l.n folk.

I'd like to allow passive ftp access to my ftp server. my ruleset is DENY
policy, and Im curious to know what you would recommend. I thought
conntrack would solve my problem, but my research into it has led me to
believe that particular module works best on the FORWARD chain of an
intermediate firewall.

Thanks in advance,
ben

2. Cannot write into a read only file ?????

3. :-II FTP Non-Passive by default?

4. OpenSSH 2.1.x fails to compile under OpenBSD 2.6

5. CERN server and non-passive FTP

6. GPIB-PCMCIA + DAQ-PCMCIA

7. iptables and non-standard ftp ports

8. YGGDRASIL Mailing List available?

9. passive ftp connection to nonstandard ftp port

10. natd -punch_fw not generating rules for passive ftp ?

11. MASQ/DNS/passive ftp and ipchains rules.

12. stateful ipfw rules for FTP (passive and active)

13. pf rules for passive ftp