Firewall settings for incoming passive FTP. Lokkit / IPTables / RH 9

Hi all

I'm hoping someone can help me with the firewall settings on my
server. I'm running Redhat 9. FTP is the standard vsftpd. I'm
struggling to get the firewall settings right to allow an incoming
passive FTP connection. I'm setting things with lokkit which shows a
character based 'graphical' UI. I assume this is just a friendly way
of editing /etc/sysconfig/iptables. I haven't directly edited iptables
yet but perhaps I need to.

In lokkit, I leave the security level 'high' and then go to
'Customize' and check the main protocols I want and add several more
to the 'Other ports line'. I add pop3:tcp imap:tcp and a few others.
The RH docs suggest that checking 'FTP' is enough to allow passive FTP
but not Active. It seems to achieve the opposite for me. Active works
fine. Passive works if I have 'No Firewall'.

I don't know much about it but I wonder if its something to do with
port 20. I have now added ftp-data:tcp to the 'Other Ports' but that
hasn't helped. The client hangs when doing an ls after 'Entering
Passive Mode' and then 'Connecting to' a five digit port number.

The lines which I think are relevant in iptables are:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT

If you're wondering why I'm even bothering with FTP rather than the
more secure SFTP via SSH its because I have a few friends / customers
who just need to upload html files and vsftpd allows me to easily
define a fake root to keep them in their own area. I don't think I can
do that effectively with ssh.

Thanks
Ross

On 13 Dec 2003 06:34:05 -0800, (E-Mail Removed) wrote:

>I'm hoping someone can help me with the firewall settings on my
>server. I'm running Redhat 9. FTP is the standard vsftpd. I'm
>struggling to get the firewall settings right to allow an incoming
>passive FTP connection. I'm setting things with lokkit which shows a
>character based 'graphical' UI. I assume this is just a friendly way
>of editing /etc/sysconfig/iptables. I haven't directly edited iptables
>yet but perhaps I need to.
>
>In lokkit, I leave the security level 'high' and then go to
>'Customize' and check the main protocols I want and add several more
>to the 'Other ports line'. I add pop3:tcp imap:tcp and a few others.
>The RH docs suggest that checking 'FTP' is enough to allow passive FTP
>but not Active. It seems to achieve the opposite for me. Active works
>fine. Passive works if I have 'No Firewall'.
>
>I don't know much about it but I wonder if its something to do with
>port 20. I have now added ftp-data:tcp to the 'Other Ports' but that
>hasn't helped. The client hangs when doing an ls after 'Entering
>Passive Mode' and then 'Connecting to' a five digit port number.
>
>The lines which I think are relevant in iptables are:
>
>-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT
>-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
>
>If you're wondering why I'm even bothering with FTP rather than the
>more secure SFTP via SSH its because I have a few friends / customers
>who just need to upload html files and vsftpd allows me to easily
>define a fake root to keep them in their own area. I don't think I can
>do that effectively with ssh.
>


dport 21 is the ftp control channel, no matter passive or active mode.
dport 20 is ftp data channel for active mode, not used in passive mode.
For passive mode you neet to open all non-critical ports for the data
channel. Try a netfilter rule like this example...

iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 --syn -j
ACCEPT


Some ftp daemons, like proftpd, attempt to restrict the ports you have
to open for the passive mode data channel. This doesn't really work
very well because the ftp client is the one in the drivers seat here.


Hope that helps

Brad
--
"To live is so startling it leaves little time for anything else"
Emily Dickinson
Bradley W. Olin
http://www.bwo1.com

For real transparent hiding of an FTP server, look into the ip_conntrack_ftp
and ip_nat_ftp modules for iptables.

(E-Mail Removed) wrote in message news:<(E-Mail Removed). com>...
> Hi all
>
> I'm hoping someone can help me with the firewall settings on my
> server. I'm running Redhat 9. FTP is the standard vsftpd. I'm
> struggling to get the firewall settings right to allow an incoming
> passive FTP connection. I'm setting things with lokkit which shows a
> character based 'graphical' UI. I assume this is just a friendly way
> of editing /etc/sysconfig/iptables. I haven't directly edited iptables
> yet but perhaps I need to.
>
> In lokkit, I leave the security level 'high' and then go to
> 'Customize' and check the main protocols I want and add several more
> to the 'Other ports line'. I add pop3:tcp imap:tcp and a few others.
> The RH docs suggest that checking 'FTP' is enough to allow passive FTP
> but not Active. It seems to achieve the opposite for me. Active works
> fine. Passive works if I have 'No Firewall'.
>
> I don't know much about it but I wonder if its something to do with
> port 20. I have now added ftp-data:tcp to the 'Other Ports' but that
> hasn't helped. ...

Not sure how Lokkit appends (?) this rule, but believe it's this one:
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT

>... The client hangs when doing an ls after 'Entering
> Passive Mode' and then 'Connecting to' a five digit port number.

This sequence not clear to me.
a) client sees 'Entering Passive Mode'
b) client sends ls (to port 21 on server) to get the list of files
c) client sees 'Connecting to' port XXXXX -- then hangs
Your client is trying to connect to the high #'rd port your server
told it to use for a data channel.
Your firewall is not letting in SYN packets to random high #'rd ports,
I believe.

>
> The lines which I think are relevant in iptables are:
>
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT
in passive mode, your server will be listening on a _random_ high #'rd
(>1023) port, so this "normal" channel will not be used to tranfer
data

> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
this is the control (command) channel which must be established at the
start of a session

>
> If you're wondering why I'm even bothering with FTP rather than the
> more secure SFTP via SSH its because I have a few friends / customers
> who just need to upload html files and vsftpd allows me to easily
> define a fake root to keep them in their own area. I don't think I can
> do that effectively with ssh.
>
> Thanks
> Ross

Haven't checked the RH docs (which one are you referring to?) but
three things:

-- I'm hardly familiar with Lokkit, much more comfortable with editing
config files and ACL's
-- RH admits that Lokkit is a weeney and not particularly useful for
anything that deviates from the pre-canned rules it uses.
-- The above 2'nd line is, in fact, what you would use to set up an
ftp session, but the first is only useful in active (ie., normal) mode
to support setting up data tranfer, not incoming connection
establishment (syn) where no one is listening, which is what it seems
to suggest.

I'm running RH8 and my iptables -L output is a little different from
yours, but just some minor differences in output format, I think.

Unless you're really comfortable using the iptables command to set up
what you want, you may want to try something like Firewall Builder:
http://www.fwbuilder.org/

For some quick/to the point background try:
http://www.unixcities.com/ftp-and-firewall/
http://www.cisco.com/warp/public/759..._2-3_oneb.html

Have you thought of running Squid in front of your FTP server? It
would allow you to set up ACL's and/or authentication logins, I
believe (been awhile since I've looked at it).

Since no one else responded, I did.

Hoping the more informed post,
prg
email above disabled

Thanks everyone. I understand it a bit better now. I've got it going
by opening all ports above 1023 although I'll study some of those
links for a better way.

As for which docs ... it was here
http://www.redhat.com/docs/manuals/l...-firewall.html
but I realise now that its talking about configuring a desktop, ie for
outgoing ftp.

Cheers
Ross

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Thanks everyone. I understand it a bit better now. I've got it going
> by opening all ports above 1023 although I'll study some of those
> links for a better way.
>
> As for which docs ... it was here
>
http://www.redhat.com/docs/manuals/l...-firewall.html
> but I realise now that its talking about configuring a desktop, ie for
> outgoing ftp.
>
> Cheers
> Ross

That's a terrible idea. It's not much of a firewall the way you have it set
up nowAssuming you have the FTP server on a box in a translated environment
(let's say 192.168.0.10) on the standard port (21), you need to do the
following:

- load the connection tracking modules for FTP and the "state" module:

modprobe ip_conntrack
modprobe ipt_state
modprobe ip_conntrack_ftp ports=21
modprobe ip_nat_ftp ports=21

- port forward port 21 to your FTP machine and allow the forwarding to
occur (where $IFACE_INTERNET is the interface pointing to the public
address, eth0 or whatever is appropriate for your setup):

iptables -A FORWARD -i $IFACE_INTERNET -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p TCP --dport 21 -i $IFACE_INTERNET -j DNAT
192.168.0.10:21

Note that that forwarding rule is overly permissive but that's not that much
of a problem since packets need to be handling in PREROUTING before they're
going in FORWARD anyways. This can be tightened anyways...

"Durk van Veen" <(E-Mail Removed)> wrote in message news:<IYGDb.9459$i55.4688@fed1read06>...
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) m...
> > Thanks everyone. I understand it a bit better now. I've got it going
> > by opening all ports above 1023 although I'll study some of those
> > links for a better way.

> That's a terrible idea. It's not much of a firewall the way you have it set
> up nowAssuming you have the FTP server on a box in a translated environment
> (let's say 192.168.0.10) on the standard port (21), you need to do the
> following:

Fair enough and thanks for the advice. I've persuaded my two FTP users
to use active FTP and I've turned off the high port access so
everything is okay for now.

Its not quite as simple as it may seem (or maybe its simpler). The
thing I didn't mention before is that its a virtual machine at a host
running UML (User Mode Linux). There is no nat and from my point of
view, just one machine and no local lan. netstat -tul tells me there
are no unintended listeners.

The one thing I can't do is load my own modules because of security
risks to physical host. I don't know enough to tell if ip_conntrack is
already loaded or compiled into the kernel. I might be talking
nonsense with that statement. /proc/net/ip_conntrack exists if that
means anything.

Cheers
Ross