iptables ftp problem

Discussion in 'Linux Networking' started by johnny bobby bee, May 12, 2005.

  1. can someone tell me why i can't connect to any ftp site with the
    following rules:

    #Turn on outgoing communication
    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p tcp -m multiport --destination-ports
    20,21,22,25,43,80,82,119,123,137,138,139
    -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p tcp -m multiport --destination-ports
    143,389,443,445,554,2628,1755,4321,5050
    -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p udp -m multiport --destination-ports
    20,21,22,25,43,80,82,119,123,137,138,139
    -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix
    "--DROP:OUTPUT INVALID-- "
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -j LOG --log-prefix "--DROP:OUTPUT NOT MATCHED-- "
    iptables -A OUTPUT -j DROP

    i get the following entries in the log for rutgers university and
    indiana university for example:
    May 12 12:08:23 localhost kernel: --DROP:OUTPUT NOT MATCHED-- IN=
    OUT=eth0 SRC=192.168.2.101 DST=165.230.246.3 LEN=60 TOS=0x00 PREC=0x00
    TTL=64 ID=22985 DF PROTO=TCP SPT=42064 DPT=44763 WINDOW=5840 RES=0x00
    SYN URGP=0

    May 12 12:09:21 localhost kernel: --DROP:OUTPUT NOT MATCHED-- IN=
    OUT=eth0 SRC=192.168.2.101 DST=156.56.247.193 LEN=60 TOS=0x00 PREC=0x00
    TTL=64 ID=821 DF PROTO=TCP SPT=42069 DPT=31170 WINDOW=5840 RES=0x00 SYN
    URGP=0

    if i were to take off the 80 or 143 in the -m multiport line, then i
    can't surf or read my IMAP mail. but when i put them back in, everything
    is fine. what am i missing that won't allow me to connect to an ftp server?

    i know that if i added 'NEW" to the -m state --state RELATED,ESTABLISHED
    -j ACCEPT then it works, but then *every* port will get through (out)
    and i don't even need the '-m multiport' line at all. i'd rather define
    which ports get out.

    am i being paranoid, and should just use the 'NEW' with RELATED,ESTABLISHED?
    is the -m multiport line going overboard?
    and why does every other port work except for ftp, if i don't have the
    'NEW' included?

    i'll post more of my iptables rules if it's needed.
    cheers
     
    johnny bobby bee, May 12, 2005
    #1
    1. Advertisements

  2. johnny bobby bee

    bram4 Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi

    Have you tried both active and passive ftp?
    Because (you know probably) active ftp makes a connection from server to
    client.

    Regards
    Bram4


    - --

    BIG BROTHER IS WATCHING YOU
    www.anti-dmca.org
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (MingW32)

    iD8DBQFCg77Dsv7ahDE9W98RApEtAJ9rv5h/Bcj6cE50RTEiVB4OodjSwwCfUu2C
    3oZmaOKRDq6dG9njUNHwtX4=
    =go9j
    -----END PGP SIGNATURE-----
     
    bram4, May 12, 2005
    #2
    1. Advertisements

  3. using gftp, i had to uncheck 'passive file transfers', for it to work.
    even though the tool tip says, "if you are behind a firewall you will
    have to enable this".

    i still can't get to an ftp site using a browser.
     
    johnny bobby bee, May 12, 2005
    #3
  4. johnny bobby bee

    Jacco Guest

    Have you loaded the ftp netfilter modules?

    modprobe ip_conntrack_ftp

    and if you are doing nat

    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp

    on the gateway

    you can check with lsmod
     
    Jacco, May 12, 2005
    #4
  5. bless you, that got it. didn't know such a thing existed. is that
    specifically for browser-ftp ability?
    do i have to include it in /etc/modules for it to load whenever i
    reboot? and why isn't it included with iptables by default?
    not doing nat on this pc. but good to know i'd have to include that as well.
     
    johnny bobby bee, May 13, 2005
    #5
  6. It provides for connection tracking to monitor an ftp control port to
    pick up any ftp commands that will cause an associated data port to be
    openned. The SYN packet for the ftp data will then be matched by the
    "RELATED" test. Note that ip_conntrack_ftp understands both passive and
    active ftp data transfers. It's not specifically to do with a browser, it
    is just the bizaro way the ftp protocol works. Any ftp client would
    encounter the same issue and all firewalls have to be able to cope with
    this nuisance.

    Klazmon
     
    Llanzlan Klazmon, May 13, 2005
    #6
  7. johnny bobby bee

    Jacco Guest

    Is conntrack_ftp and nat_ftp port specific or protocol specific? I tried
    to contact an ftp server running on a non standard port from one linux
    box though a nated linux box to the internet. It failed to do the
    transfers. It works when I do ftp transfers on the normal port.
     
    Jacco, May 13, 2005
    #7

  8. for this you need to load ip_conntrack_ftp or ip_nat_ftp module
    (only work if ip_conntrack_ftp is compiled in module) with :

    ip_conntrack_ftp ports=21,xxx,yyy,....

    or

    ip_nat_ftp ports=21,xxx,yyy,....
     
    Philippe WEILL, May 13, 2005
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.