AV1611 Posted October 22, 2007 Share Posted October 22, 2007 Didn't know where else to post this... Below is the output of iptables -L I can only connect to my ftp if I disable passive. I thought I had the state stuff right, but it doesn't work. Can anyone help? Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK DROP all -- c-68-37-0-0.hsd1.de.comcast.net/16 anywhere DROP all -- ip68-106-0-0.ph.ph.cox.net/16 anywhere DROP all -- host-72-51-204-225.newwavecomm.net anywhere DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state N EW ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED ACCEPT udp -- anywhere anywhere udp spt:domain dpts :1024:65535 ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp destination-un reachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-prob lem ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:auth ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:hosts2-ns ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpts:20025:2004 8 ACCEPT tcp -- anywhere anywhere tcp dpt:14200 ACCEPT udp -- anywhere anywhere udp dpt:8767 ACCEPT udp -- anywhere anywhere udp dpt:8777 ACCEPT udp -- anywhere anywhere udp dpts:xmsg:h323g atedisc ACCEPT udp -- anywhere anywhere udp dpt:27900 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Quote Link to comment Share on other sites More sharing options...
neylitalo Posted October 23, 2007 Share Posted October 23, 2007 Most (maybe all) FTP servers make you specify a port range for PASV connections - what FTP server are you using, and did you specify a port range for passive FTP? If you did, make sure that the port range you specified is opened. Also, I would have thought that when you specify a port range, you would specify --dport lowport:highport, but I could be mistaken - do you know which is the case? Here's a comprehensive description of Passive FTP, in case it helps at all. (If nothing else, you might be able to learn something from it that you didn't know already.) Quote Link to comment Share on other sites More sharing options...
AV1611 Posted October 23, 2007 Author Share Posted October 23, 2007 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED I thought these would allow a carte blanche for anything related to and established ftp (port 21) connection. I guess I oversimplified too much? what about: iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT I thinks its the same as above except only applied to sport and dport above 1024? Is that correct? HELP! Quote Link to comment Share on other sites More sharing options...
neylitalo Posted October 23, 2007 Share Posted October 23, 2007 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED I thought these would allow a carte blanche for anything related to and established ftp (port 21) connection. I guess I oversimplified too much? what about: iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT I thinks its the same as above except only applied to sport and dport above 1024? Is that correct? HELP! Two things, most important first: With passive FTP, you're actually using a combination of port 21 and x amount of ports > 1023, so it's not quite enough to open up port 21. And you don't have to worry about the OUTPUT table at all, it's the INPUT table that you want to focus on. To answer your question, though, it looks as though it might work - I've never tried an open-ended port range, but if the syntax is correct, I don't see why it won't do the trick. To test it, just scan a few ports > 1023 after you add the rule - something like this ought to do the trick if you have nmap installed. # nmap -sT -P0 -p <portnumber> localhost Quote Link to comment Share on other sites More sharing options...
AV1611 Posted October 23, 2007 Author Share Posted October 23, 2007 Well, the only way I can seem to get passive to work is like this: -A INPUT -p tcp -m tcp --dport 1024:65536 --sport 1024:65535 -j ACCEPT The ports won't accept connection, so that's good, but Doesn't that mean they will open for other connections, not just FTP? I'm confused... Quote Link to comment Share on other sites More sharing options...
neylitalo Posted October 24, 2007 Share Posted October 24, 2007 The ports won't accept connection, so that's good, but Doesn't that mean they will open for other connections, not just FTP? If there isn't a service listening on the ports, then they'll be "filtered"; they will only be open for connections when a service binds itself to the port. Just to make sure, does Passive FTP work with that rule? Quote Link to comment Share on other sites More sharing options...
AV1611 Posted October 24, 2007 Author Share Posted October 24, 2007 The server works with pasv now. Let me say it back like this, to make sure I go it. The ports >1023 are closed until the ftp server opens them. That will not occur unless a port 21 connection already exists, and the ftp server opens it. Therefore, the ports do not pose a risk because no server exists behind them to be hacked, except when the ftp is using it. Right??? Quote Link to comment Share on other sites More sharing options...
neylitalo Posted October 24, 2007 Share Posted October 24, 2007 The ports >1023 are closed until the ftp server opens them. That will not occur unless a port 21 connection already exists, and the ftp server opens it. Therefore, the ports do not pose a risk because no server exists behind them to be hacked, except when the ftp is using it. Right??? Absolutely right. You're all set. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.