Firewall settings for incoming passive FTP. Lokkit / IPTables / RH 9
syne...@hotmail.com
I'm hoping someone can help me with the firewall settings on my
server. I'm running Redhat 9. FTP is the standard vsftpd. I'm
struggling to get the firewall settings right to allow an incoming
passive FTP connection. I'm setting things with lokkit which shows a
character based 'graphical' UI. I assume this is just a friendly way
of editing /etc/sysconfig/iptables. I haven't directly edited iptables
yet but perhaps I need to.
In lokkit, I leave the security level 'high' and then go to
'Customize' and check the main protocols I want and add several more
to the 'Other ports line'. I add pop3:tcp imap:tcp and a few others.
The RH docs suggest that checking 'FTP' is enough to allow passive FTP
but not Active. It seems to achieve the opposite for me. Active works
fine. Passive works if I have 'No Firewall'.
I don't know much about it but I wonder if its something to do with
port 20. I have now added ftp-data:tcp to the 'Other Ports' but that
hasn't helped. The client hangs when doing an ls after 'Entering
Passive Mode' and then 'Connecting to' a five digit port number.
The lines which I think are relevant in iptables are:
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
If you're wondering why I'm even bothering with FTP rather than the
more secure SFTP via SSH its because I have a few friends / customers
who just need to upload html files and vsftpd allows me to easily
define a fake root to keep them in their own area. I don't think I can
do that effectively with ssh.
Thanks
Ross
Tim
syne...@hotmail.com crossposted:
> I'm hoping someone can help me with the firewall settings on my
> server. I'm running Redhat 9. FTP is the standard vsftpd. I'm
> struggling to get the firewall settings right to allow an incoming
> passive FTP connection. I'm setting things with lokkit which shows a
> character based 'graphical' UI. I assume this is just a friendly way
> of editing /etc/sysconfig/iptables. I haven't directly edited iptables
> yet but perhaps I need to.
>
> In lokkit, I leave the security level 'high' and then go to
> 'Customize' and check the main protocols I want and add several more
> to the 'Other ports line'. I add pop3:tcp imap:tcp and a few others.
> The RH docs suggest that checking 'FTP' is enough to allow passive FTP
> but not Active. It seems to achieve the opposite for me. Active works
> fine. Passive works if I have 'No Firewall'.
>
> I don't know much about it but I wonder if its something to do with
> port 20. I have now added ftp-data:tcp to the 'Other Ports' but that
> hasn't helped. The client hangs when doing an ls after 'Entering
> Passive Mode' and then 'Connecting to' a five digit port number.
>
> The lines which I think are relevant in iptables are:
>
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
Some things spring to mind:
1. You're better off manually configuring your own filters.
2. You might want to consider accepting "related" traffic. Depending
on what the criteria is for "related" traffic, that might take care
of it for you, simply; and without opening up too many holes in
your firewall.
(You'd accept connections to the FTP control, and related traffic.)
Note: I don't have the other group that you crossposted to, so I'm only
replying to this group.
--
My "from" address is totally fake. The reply-to address is real, but
may be only temporary. Reply to usenet postings in the same place as
you read the message you're replying to.
Durk van Veen
and ip_nat_ftp modules for iptables.
P Gentry
> Hi all
>
> I'm hoping someone can help me with the firewall settings on my
> server. I'm running Redhat 9. FTP is the standard vsftpd. I'm
> struggling to get the firewall settings right to allow an incoming
> passive FTP connection. I'm setting things with lokkit which shows a
> character based 'graphical' UI. I assume this is just a friendly way
> of editing /etc/sysconfig/iptables. I haven't directly edited iptables
> yet but perhaps I need to.
>
> In lokkit, I leave the security level 'high' and then go to
> 'Customize' and check the main protocols I want and add several more
> to the 'Other ports line'. I add pop3:tcp imap:tcp and a few others.
> The RH docs suggest that checking 'FTP' is enough to allow passive FTP
> but not Active. It seems to achieve the opposite for me. Active works
> fine. Passive works if I have 'No Firewall'.
>
> I don't know much about it but I wonder if its something to do with
> port 20. I have now added ftp-data:tcp to the 'Other Ports' but that
Not sure how Lokkit appends (?) this rule, but believe it's this one:
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT
>... The client hangs when doing an ls after 'Entering
> Passive Mode' and then 'Connecting to' a five digit port number.
This sequence not clear to me.
a) client sees 'Entering Passive Mode'
b) client sends ls (to port 21 on server) to get the list of files
c) client sees 'Connecting to' port XXXXX -- then hangs
Your client is trying to connect to the high #'rd port your server
told it to use for a data channel.
Your firewall is not letting in SYN packets to random high #'rd ports,
I believe.
>
> The lines which I think are relevant in iptables are:
>
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT
in passive mode, your server will be listening on a _random_ high #'rd
(>1023) port, so this "normal" channel will not be used to tranfer
data
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
this is the control (command) channel which must be established at the
start of a session
>
> If you're wondering why I'm even bothering with FTP rather than the
> more secure SFTP via SSH its because I have a few friends / customers
> who just need to upload html files and vsftpd allows me to easily
> define a fake root to keep them in their own area. I don't think I can
> do that effectively with ssh.
>
> Thanks
> Ross
Haven't checked the RH docs (which one are you referring to?) but
three things:
-- I'm hardly familiar with Lokkit, much more comfortable with editing
config files and ACL's
-- RH admits that Lokkit is a weeney and not particularly useful for
anything that deviates from the pre-canned rules it uses.
-- The above 2'nd line is, in fact, what you would use to set up an
ftp session, but the first is only useful in active (ie., normal) mode
to support setting up data tranfer, not incoming connection
establishment (syn) where no one is listening, which is what it seems
to suggest.
I'm running RH8 and my iptables -L output is a little different from
yours, but just some minor differences in output format, I think.
Unless you're really comfortable using the iptables command to set up
what you want, you may want to try something like Firewall Builder:
http://www.fwbuilder.org/
For some quick/to the point background try:
http://www.unixcities.com/ftp-and-firewall/
http://www.cisco.com/warp/public/759/ipj_2-3/ipj_2-3_oneb.html
Have you thought of running Squid in front of your FTP server? It
would allow you to set up ACL's and/or authentication logins, I
believe (been awhile since I've looked at it).
Since no one else responded, I did.
Hoping the more informed post,
prg
email above disabled
syne...@hotmail.com
by opening all ports above 1023 although I'll study some of those
links for a better way.
As for which docs ... it was here
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/ch-basic-firewall.html
but I realise now that its talking about configuring a desktop, ie for
outgoing ftp.
Cheers
Ross
Tim
syne...@hotmail.com wrote:
> Thanks everyone. I understand it a bit better now. I've got it going
> by opening all ports above 1023 although I'll study some of those
> links for a better way.
I hope you have nothing else susceptible to attack on those ports.
--
My "from" address is totally fake. The reply-to address is real, but
may be only temporary. Reply to usenet postings in the same place as
you read the message you're replying to.
This message was sent without a virus, please delete some files yourself.
Durk van Veen
<syne...@hotmail.com> wrote in message
news:cd0f55df.0312...@posting.google.com...
That's a terrible idea. It's not much of a firewall the way you have it set
up nowAssuming you have the FTP server on a box in a translated environment
(let's say 192.168.0.10) on the standard port (21), you need to do the
following:
- load the connection tracking modules for FTP and the "state" module:
modprobe ip_conntrack
modprobe ipt_state
modprobe ip_conntrack_ftp ports=21
modprobe ip_nat_ftp ports=21
- port forward port 21 to your FTP machine and allow the forwarding to
occur (where $IFACE_INTERNET is the interface pointing to the public
address, eth0 or whatever is appropriate for your setup):
iptables -A FORWARD -i $IFACE_INTERNET -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p TCP --dport 21 -i $IFACE_INTERNET -j DNAT
192.168.0.10:21
Note that that forwarding rule is overly permissive but that's not that much
of a problem since packets need to be handling in PREROUTING before they're
going in FORWARD anyways. This can be tightened anyways...
P Gentry
> On 15 Dec 2003 10:45:46 -0800,
> syne...@hotmail.com wrote:
>
> > Thanks everyone. I understand it a bit better now. I've got it going
> > by opening all ports above 1023 although I'll study some of those
> > links for a better way.
>
> I hope you have nothing else susceptible to attack on those ports.
And so do I!
You really should replace the Lokkit chain completely, I think. It
appears RH used a policy of ACCEPT on the INPUT chain, then sends all
incoming packets through Lokkit. YUK!
Chain INPUT (policy ACCEPT)
target prot opt source dest
RH-Lokkit-0-50-INPUT all -- any any
You could make an entry by hand that includes:
-m -state --state RELATED
but I've not looked at this for some time.
The best approach is to DENY as a policy and explicitly allow in what
you deem necessary and safe.
Best would be to find a pre-written ruleset (in a script) that you can
use/modify.
Try here for quick background:
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
and here for some more info and scripts to try:
http://www.linuxguruz.com/iptables/
Better to get this right than get in a hurry. If you need help come
back or try a security related NG.
lol,
prg
email above disabled
syne...@hotmail.com
> <syne...@hotmail.com> wrote in message
> news:cd0f55df.0312...@posting.google.com...
> > Thanks everyone. I understand it a bit better now. I've got it going
> > by opening all ports above 1023 although I'll study some of those
> > links for a better way.
> That's a terrible idea. It's not much of a firewall the way you have it set
> up nowAssuming you have the FTP server on a box in a translated environment
> (let's say 192.168.0.10) on the standard port (21), you need to do the
> following:
Fair enough and thanks for the advice. I've persuaded my two FTP users
to use active FTP and I've turned off the high port access so
everything is okay for now.
Its not quite as simple as it may seem (or maybe its simpler). The
thing I didn't mention before is that its a virtual machine at a host
running UML (User Mode Linux). There is no nat and from my point of
view, just one machine and no local lan. netstat -tul tells me there
are no unintended listeners.
The one thing I can't do is load my own modules because of security
risks to physical host. I don't know enough to tell if ip_conntrack is
already loaded or compiled into the kernel. I might be talking
nonsense with that statement. /proc/net/ip_conntrack exists if that
means anything.
Cheers
Ross