[SOLVED] IPTables

[AV1611]

Didn't know where else to post this...

 

Below is the output of iptables -L

 

I can only connect to my ftp if I disable passive.  I thought I had the state stuff right, but it doesn't work.  Can anyone help?

 

Chain INPUT (policy DROP)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere

ACCEPT    tcp  --  anywhere            anywhere            tcp flags:ACK/ACK

DROP      all  --  c-68-37-0-0.hsd1.de.comcast.net/16  anywhere

DROP      all  --  ip68-106-0-0.ph.ph.cox.net/16  anywhere

DROP      all  --  host-72-51-204-225.newwavecomm.net  anywhere

DROP      all  --  BASE-ADDRESS.MCAST.NET/4  anywhere

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ftp state N

EW

ACCEPT    all  --  anywhere            anywhere            state ESTABLISHED

ACCEPT    all  --  anywhere            anywhere            state RELATED

ACCEPT    udp  --  anywhere            anywhere            udp spt:domain dpts

:1024:65535

ACCEPT    icmp --  anywhere            anywhere            icmp echo-reply

ACCEPT    icmp --  anywhere            anywhere            icmp destination-un

reachable

ACCEPT    icmp --  anywhere            anywhere            icmp source-quench

ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded

ACCEPT    icmp --  anywhere            anywhere            icmp parameter-prob

lem

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:auth

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ftp

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:smtp

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:domain

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:hosts2-ns

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:pop3

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:https

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ndmp

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:mysql

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:imap

ACCEPT    tcp  --  anywhere            anywhere            tcp dpts:20025:2004                                            8

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:14200

ACCEPT    udp  --  anywhere            anywhere            udp dpt:8767

ACCEPT    udp  --  anywhere            anywhere            udp dpt:8777

ACCEPT    udp  --  anywhere            anywhere            udp dpts:xmsg:h323g                                            atedisc

ACCEPT    udp  --  anywhere            anywhere            udp dpt:27900

DROP      all  --  anywhere            anywhere

 

Chain FORWARD (policy ACCEPT)

target    prot opt source              destination

 

Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

 

[neylitalo]

Most (maybe all) FTP servers make you specify a port range for PASV connections - what FTP server are you using, and did you specify a port range for passive FTP? If you did, make sure that the port range you specified is opened. Also, I would have thought that when you specify a port range, you would specify --dport lowport:highport, but I could be mistaken - do you know which is the case?

 

Here's a comprehensive description of Passive FTP, in case it helps at all. (If nothing else, you might be able to learn something from it that you didn't know already.)

[AV1611]

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ftp state NEW

ACCEPT    all  --  anywhere            anywhere            state ESTABLISHED

ACCEPT    all  --  anywhere            anywhere            state RELATED

 

I thought these would allow a carte blanche for anything related to and established ftp (port 21) connection.  I guess I oversimplified too much?

 

what about:

 

iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

 

I thinks its the same as above except only applied to sport and dport above 1024? Is that correct?

 

HELP!

 

[neylitalo]

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ftp state NEW

ACCEPT    all  --  anywhere            anywhere            state ESTABLISHED

ACCEPT    all  --  anywhere            anywhere            state RELATED

 

I thought these would allow a carte blanche for anything related to and established ftp (port 21) connection.  I guess I oversimplified too much?

 

what about:

 

iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

 

I thinks its the same as above except only applied to sport and dport above 1024? Is that correct?

 

HELP!

 

 

Two things, most important first: With passive FTP, you're actually using a combination of port 21 and x amount of ports > 1023, so it's not quite enough to open up port 21. And you don't have to worry about the OUTPUT table at all, it's the INPUT table that you want to focus on.

 

To answer your question, though, it looks as though it might work - I've never tried an open-ended port range, but if the syntax is correct, I don't see why it won't do the trick. To test it, just scan a few ports > 1023 after you add the rule - something like this ought to do the trick if you have nmap installed.

 

# nmap -sT -P0 -p <portnumber> localhost

[AV1611]

Well, the only way I can seem to get passive to work is like this:

 

-A INPUT -p tcp -m tcp --dport 1024:65536 --sport 1024:65535 -j ACCEPT

 

The ports won't accept connection, so that's good, but Doesn't that mean they will open for other connections, not just FTP? 

 

I'm confused...

[neylitalo]

The ports won't accept connection, so that's good, but Doesn't that mean they will open for other connections, not just FTP? 

 

If there isn't a service listening on the ports, then they'll be "filtered"; they will only be open for connections when a service binds itself to the port. Just to make sure, does Passive FTP work with that rule?

[AV1611]

The server works with pasv now.  Let me say it back like this, to make sure I go it.

 

The ports >1023 are closed until the ftp server opens them.  That will not occur unless a port 21 connection already exists, and the ftp server opens it.  Therefore, the ports do not pose a risk because no server exists behind them to be hacked, except when the ftp is using it.

 

Right???

 

 

[neylitalo]

The ports >1023 are closed until the ftp server opens them.  That will not occur unless a port 21 connection already exists, and the ftp server opens it.  Therefore, the ports do not pose a risk because no server exists behind them to be hacked, except when the ftp is using it.

 

Right???

 

 

 

Absolutely right. You're all set.