problem with active ftp and iptables

I have been struggling on and off for the last couple of weeks to get
my firewall to accept active ftp. I have read many faqs and related
stuff, but obviously I am missing something. The ftp machine is located
behind the firewall

I can netcat from an external machine to the ftp machine on for example
57400, and I can also netcat from ftp machine to external machine on
the same port.

When I try to from external machine I get:

lftp lelle@83.219.209.129:/> ls
---> PORT 192,168,123,106,139,113
<--- 200 PORT command successful.
---> LIST
<--- 425 Can't create data socket (83.219.209.129,58057): Cannot assign
requested address.
---- Closing data socket
---> PORT 192,168,123,106,139,114
<--- 200 PORT command successful.
---> LIST
<--- 425 Can't create data socket (83.219.209.129,57730): Cannot assign
requested address.
---- Closing data socket
[...]


Below is my configuration, hopefully someone with a better
understanding of this can pinpoint what is wrong with my setup.

Thanx in advance
/Lennart



#####################
FTP machine
#####################
ftp:~# uname -a
Linux ftp 2.6.15.1 #7 Sun Jul 2 20:56:10 CEST 2006 i686 GNU/Linux
192.168.21.10

ftp:~# tail /etc/services
[...]
# Local services
#glftpd 1337/tcp
glftpd 21/tcp

ftp:~# cat /etc/glftpd.conf
[...]
# Local stuff
ifip 127.0.0.1
pasv_addr 192.168.21.10 1
active_addr 192.168.21.10 1
elseip
ifip 192.168.21.1
pasv_addr 192.168.21.10 1
active_addr 192.168.21.10 1
elseip
pasv_addr 83.219.209.129 1
active_addr 83.219.209.129 1
endifip
endifip

pasv_ports 57400-58399
active_ports 57400-58399
[...]


#####################
FW machine
#####################

[root@53dbd181 root]# uname -a
Linux 53dbd181.umea.cust.skycom.se 2.6.10-1.771_FC2 #1 Mon Mar 28
00:50:14 EST 2005 i686 athlon i386 GNU/Linux
external eth1 83.219.209.129
internal eth0 (ftp) 192.168.21.1 and eth2 (other)

[root@53dbd181 root]# lsmod | grep ^ip_
ip_nat_ftp 5041 0
ip_conntrack_ftp 72817 1 ip_nat_ftp
ip_conntrack 40949 4
ip_nat_ftp,ip_conntrack_ftp,ipt_state,iptable_nat
ip_tables 16577 6
ipt_LOG,ipt_limit,ipt_multiport,iptable_filter,ipt _state,iptable_nat


[root@53dbd181 root]# cat /etc/sysconfig/iptables

*nat
:PREROUTING ACCEPT [482:60347]
:POSTROUTING ACCEPT [2:1234]
:OUTPUT ACCEPT [5:1486]

# Minimize-Delay 16 (0x10)
# Maximize-Throughput 8 (0x08)
# Maximize-Reliability 4 (0x04)
# Minimize-Cost 2 (0x02)
# Normal-Service 0 (0x00)

# DC
-A PREROUTING -i eth1 -p tcp --dport 9176 -j DNAT --to 10.10.121.1:9176
-A PREROUTING -i eth1 -p udp --dport 9176 -j DNAT --to 10.10.121.1:9176

# FTP
-A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 192.168.21.10
-A PREROUTING -i eth1 -p tcp --dport 1337 -j DNAT --to 192.168.21.10
-A PREROUTING -i eth1 -p tcp --dport 57400:58399 -j DNAT --to
192.168.21.10
-A PREROUTING -i eth1 -p tcp --sport 20 -j DNAT --to 192.168.21.10

-A PREROUTING -p tcp -d 83.219.209.129 --dport 21 -m state --state
NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.21.10

-A POSTROUTING -s 10.10.121.0/24 -o eth0 -j SNAT --to 83.219.209.129
-A POSTROUTING -s 10.10.121.0/24 -o eth1 -j SNAT --to 83.219.209.129
-A POSTROUTING -s 10.10.121.0/24 -o eth2 -j SNAT --to 83.219.209.129
-A POSTROUTING -s 192.168.21.0/24 -o eth0 -j SNAT --to 83.219.209.129
-A POSTROUTING -s 192.168.21.0/24 -o eth1 -j SNAT --to 83.219.209.129
-A POSTROUTING -s 192.168.21.0/24 -o eth2 -j SNAT --to 83.219.209.129

COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [479:51940]
:OUTPUT ACCEPT [205:30016]
# Minimize-Delay 16 (0x10)
# Maximize-Throughput 8 (0x08)
# Maximize-Reliability 4 (0x04)
# Minimize-Cost 2 (0x02)
# Normal-Service 0 (0x00)

####################### Input Rules (to LOWER) ##################

# Important Rule dont remove!
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept internal junk (needed for smb)
-A INPUT -s 10.10.121.0/24 -p udp -m udp --dport 137:139 -j ACCEPT
-A INPUT -s 10.10.121.0/24 -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p udp -s 10.10.121.0/24 -d 10.10.121.1/24 -m multiport
--dports 137,138 -j ACCEPT
-A INPUT -p tcp -s 10.10.121.0/24 -d 10.10.121.1/24 -m multiport
--dports 139,445 -j ACCEPT
-A INPUT -p udp -s 10.10.121.0/24 -d 10.10.121.255/32 --dport 137 -j
ACCEPT

# drop all other junk (ie ms, broadcast, bootp etc)
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -p udp -m udp --dport 137:139 -j DROP
-A INPUT -p tcp -m tcp --dport 137:139 -j DROP
-A INPUT -p udp -m udp --dport 445 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP

# open ports on LOWER
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

# BitTorrent
-A INPUT -p tcp -m tcp --dport 49152:49159 -j ACCEPT
-A INPUT -p udp -m udp --dport 49152:49159 -j ACCEPT

# DC
-A INPUT -p tcp -m tcp --dport 9176 -j ACCEPT
-A INPUT -p udp -m udp --dport 9176 -j ACCEPT

# FTP
#-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 1337 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 57400:58399 -j ACCEPT

-A INPUT -j LOG --log-prefix "INPUT " --log-level debug -m limit
--limit 100/minute --limit-burst 500

# Default
-A INPUT -j DROP

######################### Forwarding Rules #######################

# main rules...
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow from inside firewall to outside
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -j ACCEPT

# and from outside in. FIXME: restrictions
#-A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 1337 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 21 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT

########################## Logging & drop #########################
-A FORWARD -m limit --limit 100/min --limit-burst 500 -j LOG
--log-prefix "FORWARD:" --log-level debug
COMMIT


[root@53dbd181 root]# iptables -vL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp -- any any 10.10.121.0/24
anywhere udp dpts:netbios-ns:netbios-ssn
0 0 ACCEPT tcp -- any any 10.10.121.0/24
anywhere tcp dpts:netbios-ns:netbios-ssn
0 0 ACCEPT udp -- any any 10.10.121.0/24
10.10.121.0/24 multiport dports netbios-ns,netbios-dgm
0 0 ACCEPT tcp -- any any 10.10.121.0/24
10.10.121.0/24 multiport dports netbios-ssn,microsoft-ds
0 0 ACCEPT udp -- any any 10.10.121.0/24
10.10.121.255 udp dpt:netbios-ns
0 0 DROP all -- any any anywhere
255.255.255.255
11 1189 DROP udp -- any any anywhere
anywhere udp dpts:netbios-ns:netbios-ssn
0 0 DROP tcp -- any any anywhere
anywhere tcp dpts:netbios-ns:netbios-ssn
0 0 DROP udp -- any any anywhere
anywhere udp dpt:microsoft-ds
0 0 DROP tcp -- any any anywhere
anywhere tcp dpt:microsoft-ds
0 0 ACCEPT all -- lo any anywhere
anywhere
0 0 ACCEPT icmp -- any any anywhere
anywhere
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:webcache
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpts:49152:49159
0 0 ACCEPT udp -- any any anywhere
anywhere udp dpts:49152:49159
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:9176
0 0 ACCEPT udp -- any any anywhere
anywhere udp dpt:9176
1 388 LOG all -- any any anywhere
anywhere limit: avg 100/min burst 500 LOG level debug prefix
`INPUT '
1 388 DROP all -- any any anywhere
anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 anywhere
anywhere
0 0 ACCEPT all -- eth2 eth1 anywhere
anywhere
0 0 ACCEPT tcp -- eth1 eth0 anywhere
anywhere multiport dports ftp
0 0 ACCEPT all -- eth1 eth0 anywhere
anywhere
0 0 LOG all -- any any anywhere
anywhere limit: avg 100/min burst 500 LOG level debug prefix
`FORWARD:'

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination

Am Sonntag, den 09.07.2006, 02:25 -0700 schrieb
(E-Mail Removed):
d
> -A POSTROUTING -s 10.10.121.0/24 -o eth0 -j SNAT --to 83.219.209.129
> -A POSTROUTING -s 10.10.121.0/24 -o eth1 -j SNAT --to 83.219.209.129
> -A POSTROUTING -s 10.10.121.0/24 -o eth2 -j SNAT --to 83.219.209.129
> -A POSTROUTING -s 192.168.21.0/24 -o eth0 -j SNAT --to 83.219.209.129
> -A POSTROUTING -s 192.168.21.0/24 -o eth1 -j SNAT --to 83.219.209.129
> -A POSTROUTING -s 192.168.21.0/24 -o eth2 -j SNAT --to 83.219.209.129
I can't see what kind of setup you have, but I think you should do SNAT
only on the external interface of the Firewall.
Otherwise, every packet going through the FW has the source-adress
83....

Greets
Chris

Christoph Scheurer wrote:
> Am Sonntag, den 09.07.2006, 02:25 -0700 schrieb
> (E-Mail Removed):
> d
> > -A POSTROUTING -s 10.10.121.0/24 -o eth0 -j SNAT --to 83.219.209.129
> > -A POSTROUTING -s 10.10.121.0/24 -o eth1 -j SNAT --to 83.219.209.129
> > -A POSTROUTING -s 10.10.121.0/24 -o eth2 -j SNAT --to 83.219.209.129
> > -A POSTROUTING -s 192.168.21.0/24 -o eth0 -j SNAT --to 83.219.209.129
> > -A POSTROUTING -s 192.168.21.0/24 -o eth1 -j SNAT --to 83.219.209.129
> > -A POSTROUTING -s 192.168.21.0/24 -o eth2 -j SNAT --to 83.219.209.129
> I can't see what kind of setup you have, but I think you should do SNAT
> only on the external interface of the Firewall.
> Otherwise, every packet going through the FW has the source-adress
> 83....
>

Thanks for your reply. I assume you mean that the only POSTROUTING
should be (since eth1 is the exernal if):

-A POSTROUTING -s 10.10.121.0/24 -o eth1 -j SNAT --to 83.219.209.129
-A POSTROUTING -s 192.168.21.0/24 -o eth1 -j SNAT --to 83.219.209.129

Unfortenate that doesnt help (this was my original setup, but I have
been fumbling and guessing), I still get the same error (425 Can't
create data socket (83.219.209.129,57810): Cannot assign requested
address.)

Thanx
/Lennart

(E-Mail Removed) wrote:
> I have been struggling on and off for the last couple of weeks to get
> my firewall to accept active ftp. I have read many faqs and related
> stuff, but obviously I am missing something. The ftp machine is located
> behind the firewall
>
>

did you load kernel module ip_nat_ftp
could you post lsmod results

Philippe WEILL wrote:
> (E-Mail Removed) wrote:
> > I have been struggling on and off for the last couple of weeks to get
> > my firewall to accept active ftp. I have read many faqs and related
> > stuff, but obviously I am missing something. The ftp machine is located
> > behind the firewall
> >
> >
>
> did you load kernel module ip_nat_ftp
> could you post lsmod results

Thanks for your reply. Yes, it is loaded:

[root@53dbd181 log]# lsmod | grep ^ip_
ip_nat_ftp 5041 0
ip_conntrack_ftp 72817 1 ip_nat_ftp
ip_conntrack 40949 4
ip_nat_ftp,ip_conntrack_ftp,ipt_state,iptable_nat
ip_tables 16577 6
ipt_LOG,ipt_limit,ipt_multiport,iptable_filter,ipt _state,iptable_nat

In order to simplify the problem, I am using the standard port (21)
since - as far as I understand - ip_conntrack_ftp needs to be informed
of any nonstandard port.

Im totally out of ideas, so any more suggestions you can come up with
is appreciated.


Thanx
/Lennart