iptables - FTP timeout 1

[nix45]

RH72
ProFTPd 1.2.7
iptables 1.2.3

I'm new to iptables and I'm using a custom script that I downloaded off the internet. Whenever I connect to the FTP server, it times out a few seconds later. Here's the error in the client (replaced the IP with 1.2.3.4)...

227 Entering Passive Mode (1,2,3,4,128,65).
Connecting to 1.2.3.4 port 32833
Connection timed out

Here's what I get in /var/log/messages...

Feb 26 09:51:25 flux proftpd[1162]: flux.foo.org (5.6.7.8[5.6.7.8]) - FTP session opened.
Feb 26 09:51:25 flux proftpd[1162]: flux.foo.org (5.6.7.8[5.6.7.8]) - PAM(chris): Authentication failure.

Everything works fine before I run the iptables script.

Thanks,
Chris

 

[Morsing]

Can you list the script here??

Cheers Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[pupu]

You have to open ports for passive ftp data connection. But first, you have to set a range for them in your ftp server configuration. It is easier for active ftp, BTW. If you post your script here, I can guide you how to do this.

 

[nix45]

I downloaded this off the internet and modified it slightly. I'm running Apache (80), ProFTPd (21), Courier-IMAP (143, 110), SSH (22), and BIND (53). I'm also running a LIDS-enabled kernel, but that doesn't matter because FTP does work with the iptables rules cleared.

#!/bin/sh
#
# 2.4 kernel
#
# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface you will be protecting.
INT="eth0"

# The following rules will clear out any existing firewall rules,
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# The following line below enables IP forwarding and thus
# by extension, NAT. Turn this on if you're going to be
# doing NAT or IP Masquerading.
#echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the $INT (external)
# interface to be the given IP. If you have a dynamic IP
# address or a DHCP IP that changes semi-regularly, comment out
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.

$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 1.2.3.4
#$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

# If you would like to forward specific ports to other machines
# on your home network, edit and uncomment the rules below. They are
# currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51.
# Anything incoming over your $INT through your gateway will
# be automatically redirected invisibly to port 25 & 53 on 10.1.1.51
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 10.1.1.51:25
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to 10.1.1.51:53
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to 10.1.1.51:53

# These two redirect a block of ports, in both udp and tcp.
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT --to 10.1.1.50
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT --to 10.1.1.50

# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the
# network below.
$IPT -A INPUT -i lo -j ACCEPT
#$IPT -A INPUT -s 10.1.1.50 -d 0/0 -p all -j ACCEPT
#$IPT -A INPUT -s 10.1.1.51 -d 0/0 -p all -j ACCEPT
#$IPT -A INPUT -s 10.1.1.52 -d 0/0 -p all -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall

# If you would like to open up port 22 (SSH Access) to various IP's
# simply edit the IP's below and uncomment the line. If you wish to
# enable SSH access from anywhere, uncomment the second line only.
#$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

# POP3, IMAP, SMTP, FTP
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 143 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 21 -j ACCEPT

# DNS
nameserver=1.2.3.4
trusted=1.2.3.4
$IPT -A INPUT -s 0/0 -d $nameserver -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -s $trusted -d $nameserver -p tcp --dport 53 -j ACCEPT

# Lets do some basic state-matching. This allows us
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently.
# We don't like that netbios stuff, and it's way too
# spammy with windows machines on the network.
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall
# so we don't get silent drops.
$IPT -A INPUT -j dropwall



Thanks,
Chris

 

[marsd]

Yeah...well.
I've seen this script before and while it uses
good ideas there are some pitfalls with it, mainly
that it doesn't understand the stupidity of potential
client software.

For FTP I use old style rules:

iptables -A INPUT -s 0/0 -d $FTP -p udp --dport 20:21 -j ACCEPT
iptables -A INPUT -s 0/0 -d $FTP -p tcp --dport 20:21 -j ACCEPT

This is a redundant set but I have never had any problems using it...Though I would agree with anyone who said that
it should not be necessary.
Give it a try.

I never have iptables log bad flags, there are just
so many stupid 'stealth' bots out there that it gets
annoying.
I use stateful rules extensively to limit this stuff,
and run a RAW listener like scanlogd or a smart IDS
like snort.

YMMV.
Good Luck

 

[nix45]

I tried adding the above rules, but I'm getting the same error. From a Windows FTP client (BulletProof)...

227 Entering Passive Mode (1,2,3,4,128,65).
Connecting to 1.2.3.4 port 32833
Connection timed out

This is the error from a Linux ftp client...

ftp> ls
500 EPSV not understood.
227 Entering Passive Mode (1,2,3,4,129,7).
200 PORT command successful

421 Service not available, remote server timed out. Connection closed


marsd, do you have a better script that I can use?


Thanks,
Chris

 

[marsd]

D'oh!
Try this to allow the high port negotiation to succeed.

iptables -A INPUT -s 0/0 -d $FTP -p udp --dport 30000:50000 -j ACCEPT
iptables -A INPUT -s 0/0 -d $FTP -p tcp --dport 30000:50000 -j ACCEPT

The pasv redirect is failing.
Let me know how this goes.

 

[nix45]

Thanks, it worked. Is it a bad idea to open up all of those high numbered ports? I'm not exactly sure how the pasv and active FTP connnections work.

 

[marsd]

Well..I've had "discussions" with some people on this
forum before about this, and I have arrived at the
conclusion that they know how to admin a *nix box but
they still don't get it

In essence:
If you run a secure shop(keep up with updates, stay in tune with security), and don't do obviously stupid things with
your servers,(I'm downloading untrusted binaries and
executing them..whee!!), then allowing the operating system
to do it's thing isn't all bad. Otherwise, you start worrying about not filtering ports that aren't bound by a service,etc...

An ftp pasv redirect may be configurable to a certain
range of ports, and you can tighten things up a little.
Not a big deal IMO.