iptables ftp problem

can someone tell me why i can't connect to any ftp site with the
following rules:

#Turn on outgoing communication
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --destination-ports
20,21,22,25,43,80,82,119,123,137,138,139
-m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --destination-ports
143,389,443,445,554,2628,1755,4321,5050
-m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --destination-ports
20,21,22,25,43,80,82,119,123,137,138,139
-m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix
"--DROP:OUTPUT INVALID-- "
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -j LOG --log-prefix "--DROP:OUTPUT NOT MATCHED-- "
iptables -A OUTPUT -j DROP

i get the following entries in the log for rutgers university and
indiana university for example:
May 12 12:08:23 localhost kernel: --DROP:OUTPUT NOT MATCHED-- IN=
OUT=eth0 SRC=192.168.2.101 DST=165.230.246.3 LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=22985 DF PROTO=TCP SPT=42064 DPT=44763 WINDOW=5840 RES=0x00
SYN URGP=0

May 12 12:09:21 localhost kernel: --DROP:OUTPUT NOT MATCHED-- IN=
OUT=eth0 SRC=192.168.2.101 DST=156.56.247.193 LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=821 DF PROTO=TCP SPT=42069 DPT=31170 WINDOW=5840 RES=0x00 SYN
URGP=0

if i were to take off the 80 or 143 in the -m multiport line, then i
can't surf or read my IMAP mail. but when i put them back in, everything
is fine. what am i missing that won't allow me to connect to an ftp server?

i know that if i added 'NEW" to the -m state --state RELATED,ESTABLISHED
-j ACCEPT then it works, but then *every* port will get through (out)
and i don't even need the '-m multiport' line at all. i'd rather define
which ports get out.

am i being paranoid, and should just use the 'NEW' with RELATED,ESTABLISHED?
is the -m multiport line going overboard?
and why does every other port work except for ftp, if i don't have the
'NEW' included?

i'll post more of my iptables rules if it's needed.
cheers


--
there's no place like ~
there's no place like ~
(remove _eh to email.)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Have you tried both active and passive ftp?
Because (you know probably) active ftp makes a connection from server to
client.

Regards
Bram4


- --

BIG BROTHER IS WATCHING YOU
www.anti-dmca.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCg77Dsv7ahDE9W98RApEtAJ9rv5h/Bcj6cE50RTEiVB4OodjSwwCfUu2C
3oZmaOKRDq6dG9njUNHwtX4=
=go9j
-----END PGP SIGNATURE-----

bram4 wrote:
> Have you tried both active and passive ftp?

using gftp, i had to uncheck 'passive file transfers', for it to work.
even though the tool tip says, "if you are behind a firewall you will
have to enable this".

i still can't get to an ftp site using a browser.

--
there's no place like ~
there's no place like ~
(remove _eh to email.)

On Thu, 12 May 2005 21:22:12 +0000, johnny bobby bee wrote:

> bram4 wrote:
>> Have you tried both active and passive ftp?
>
> using gftp, i had to uncheck 'passive file transfers', for it to work.
> even though the tool tip says, "if you are behind a firewall you will
> have to enable this".
>
> i still can't get to an ftp site using a browser.

Have you loaded the ftp netfilter modules?

modprobe ip_conntrack_ftp

and if you are doing nat

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

on the gateway

you can check with lsmod

Jacco wrote:
> Have you loaded the ftp netfilter modules?
>
> modprobe ip_conntrack_ftp
>

bless you, that got it. didn't know such a thing existed. is that
specifically for browser-ftp ability?
do i have to include it in /etc/modules for it to load whenever i
reboot? and why isn't it included with iptables by default?

> and if you are doing nat
>
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp

not doing nat on this pc. but good to know i'd have to include that as well.


--
there's no place like ~
there's no place like ~
(remove _eh to email.)

johnny bobby bee <(E-Mail Removed)> wrote in
newsWTge.37817$0X6.9331@edtnps90:

> Jacco wrote:
>> Have you loaded the ftp netfilter modules?
>>
>> modprobe ip_conntrack_ftp
>>
>
> bless you, that got it. didn't know such a thing existed. is that
> specifically for browser-ftp ability?
> do i have to include it in /etc/modules for it to load whenever i
> reboot? and why isn't it included with iptables by default?
>
>> and if you are doing nat
>>
>> modprobe ip_conntrack_ftp
>> modprobe ip_nat_ftp
>
> not doing nat on this pc. but good to know i'd have to include that as
> well.
>
>

It provides for connection tracking to monitor an ftp control port to
pick up any ftp commands that will cause an associated data port to be
openned. The SYN packet for the ftp data will then be matched by the
"RELATED" test. Note that ip_conntrack_ftp understands both passive and
active ftp data transfers. It's not specifically to do with a browser, it
is just the bizaro way the ftp protocol works. Any ftp client would
encounter the same issue and all firewalls have to be able to cope with
this nuisance.

Klazmon

On Fri, 13 May 2005 15:45:11 +1200, Llanzlan Klazmon wrote:

> It provides for connection tracking to monitor an ftp control port to
> pick up any ftp commands that will cause an associated data port to be
> openned. The SYN packet for the ftp data will then be matched by the
> "RELATED" test. Note that ip_conntrack_ftp understands both passive and
> active ftp data transfers. It's not specifically to do with a browser, it
> is just the bizaro way the ftp protocol works. Any ftp client would
> encounter the same issue and all firewalls have to be able to cope with
> this nuisance.

Is conntrack_ftp and nat_ftp port specific or protocol specific? I tried
to contact an ftp server running on a non standard port from one linux
box though a nated linux box to the internet. It failed to do the
transfers. It works when I do ftp transfers on the normal port.

> Klazmon

Jacco wrote:
> On Fri, 13 May 2005 15:45:11 +1200, Llanzlan Klazmon wrote:
>
>
>>It provides for connection tracking to monitor an ftp control port to
>>pick up any ftp commands that will cause an associated data port to be
>>openned. The SYN packet for the ftp data will then be matched by the
>>"RELATED" test. Note that ip_conntrack_ftp understands both passive and
>>active ftp data transfers. It's not specifically to do with a browser, it
>>is just the bizaro way the ftp protocol works. Any ftp client would
>>encounter the same issue and all firewalls have to be able to cope with
>>this nuisance.
>
>
> Is conntrack_ftp and nat_ftp port specific or protocol specific? I tried
> to contact an ftp server running on a non standard port from one linux
> box though a nated linux box to the internet. It failed to do the
> transfers. It works when I do ftp transfers on the normal port.


for this you need to load ip_conntrack_ftp or ip_nat_ftp module
(only work if ip_conntrack_ftp is compiled in module) with :

ip_conntrack_ftp ports=21,xxx,yyy,....

or

ip_nat_ftp ports=21,xxx,yyy,....

>
>
>>Klazmon
>
>

--
Weill Philippe - Administrateur Systeme et Reseaux
CNRS Service Aeronomie - Universite Pierre et Marie Curie -
Tour 45/46 3e Etage B302 - 4 Place Jussieu - 75252 Paris Cedex 05 - FRANCE
Email(E-Mail Removed) | tel:+33 0144274759 Fax:+33 0144273776