Problem with FTP and firewall

I have a LAN going out to the Internet through a Linux box with NAT
and a firewall, I set up the firewall with iptables, and the policy
was that all the connections (incoming and outcoming) were closed and
when I wanted to allow the access to a service I was opening that port
only in the outgoing direction, for instance with HTTP:

#Web
iptables -A FW-Dani -m tcp -p tcp -s 0/0 --sport 80 -d 192.168.0.0/24
--syn -j DROP
iptables -A FW-Dani -m tcp -p tcp -s 192.168.0.0/24 -d 0/0 --dport 80
-j ACCEPT
iptables -A FW-Dani -m tcp -p tcp -s 0/0 --sport 80 -d 192.168.0.0/24
-j ACCEPT


The problem is with FTP, i thought that using passive was the solution
because when using passive mode the servers listen always at the port
number 20 for the data channel, so I set the following rules for FTP:

#FTP
iptables -A FW-Dani -m tcp -p tcp -s 0/0 --sport 20:21 -d
192.168.0.0/24 --syn -j DROP
iptables -A FW-Dani -m tcp -p tcp -s 192.168.0.0/24 -d 0/0 --dport
20:21 -j ACCEPT
iptables -A FW-Dani -m tcp -p tcp -s 0/0 --sport 20:21 -d
192.168.0.0/24 -j ACCEPT

Allowing to start a TCP connection to ports 20 or 21.

The problem is that I am seeing that ftp servers in passive mode don't
listen at port 20 as I was thinking, when I run a ftp client in
passive mode this is the response from the server:

Passive mode on.
ftp> ls
227 Entering Passive Mode (130,206,1,5,126,161)

So the server is listening at the port 126*256+161=32417, and not the
port 20 that I was thinking, therefore my firewall blocks the
connection. Btw, when is used the port number 20 in FTP ???

Then the question is, is there any way to establish dynamic rules when
the ftp connection starts with iptables, or some kind of module to be
used with iptables, that allows to identify the specific ftp protocol
not for the port but for another thing ?
Otherwise the only solution is allow all the possible outgoing
directions from my LAN.

I am using NAT as well, the ftp client has a private address, I don't
know if this should be considered as well.


Thanks a lot !


Daniel Camps

I hope that some good FAQ with such boring question exists somewhere,
but I failed to find it.

iptables(8)
Read about "conntrack".

After correcting your tables,
check your kernel to support "ip_conntrack_ftp"
( load appropriate kernel module if needed and if possible;
if not possible, reconfigure and rebuild the kernel ).


--
qq~~~~\ [ úá IP âåú ãåîúõòù ]
/ /\ \ [ FAQ you ]
\ /_/ /
\____/ Linux console notes http://entresol.roger.net.ru/linux/console/