Re: iptables blocking ftp clients

From: Adaptrx (adaptr@adaptr.xs4all.nl)
Date: 03/21/02 

From: "Adaptrx" <adaptr@adaptr.xs4all.nl>
Date: Thu, 21 Mar 2002 16:19:02 +0100

"John Hunter" <jdhunter@nitace.bsd.uchicago.edu> wrote in message
news:m2k7s6eh5a.fsf@mother.paradise.lost...
>
> I am running a zope FTP server on port 8021 on a host that is running
> an iptables firewall. Clients on the LAN behind the firewall can
> access the server fine, so there is no problem with the server.
> Clients on the internet cannot access the 8021 FTP server, because
> they are requesting high numbered ports > 1024 that are being dropped
> with packets like:

<snip garble>

No, they are not "requesting higher numbered portS", they are requesting ONE
specific high port, namely 8021 - how else can they use your FTP service ?

Also, usually FTP works with TWO ports , not one :
21 for command communications, 20 for data transfers
So maybe you need more than just the one port ? (I dunno, never used zope)

You could try opening up that port to the outside world, otherwise nobody
would indeed be able to FTP.

On the other hand, WHY use such a high port ? what's wrong with the original
FTP ports ?

It might help if you explained why you want to use a non-standard port.

>
> I have tried ncftp and Internet Explere as ftp clients.
>
> I have ftp connection tracking enabled on the netfilter server; should
> I expect this to handle ftp requests made externally from a client
> that then spawns new ports?

No, this takes care of tracking FTP transfer over the aforementioned two
ports for a _client_, not a server.

Let me elucidate (if that's a word..):
1. client requests an FTp session from server on port 21 (FTP cmd)
2. server sends the usual SYN & ACK to the client on the port the client
used (could be anything)
3. client gives a GET or PUT command to the server on port 21
4. SERVER starts a new connection to the client on port 20 (FTP data)

Now how could the client firewall know that it has to let that connection
through ?
It can't.
Instead, the conntrack mechanism keeps track of the fact that an FTP session
is running with that server, and accepts the data connection from that same
server by checking it's source address.

> I am under the impression that this
> applies only to requests that originate internally, but am not sure.

Yes, that's what I mean. A request originating internally means you are a
client.

------

My words are worth no more than you paid for them.

Relevant Pages

  • Re: iptables blocking ftp clients
    ... > I am running a zope FTP server on port 8021 on a host that is running ... > access the server fine, so there is no problem with the server. ... > I expect this to handle ftp requests made externally from a client ...
    (comp.os.linux.security)
  • Re: [fw-wiz] Variations of firewall ruleset bypass via FTP
    ... attack" isn't limited to "class of attack against FTP." ... > Client connects to server and logs on normally, ... > Client: CWD PORT 1,2,3,4,5,6\r\n ...
    (Firewall-Wizards)
  • Re: FTP Server setup... Im so close!
    ... > I have installed the Internet Information Services, etc, and have the FTP ... Your external client is trying to use Passive Mode. ... Since your server is behind NAT, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Unable to print to networked printer - get access denied messa
    ... Check the permissions on the server assuming the client has a true RPC ... How is the Standard TCP/IP port configured for the device? ...
    (microsoft.public.windowsxp.print_fax)
  • Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
    ... That's the problem tunneling (port forwarding) solves. ... >>can't get past the client firewall. ... > I don't understand why the server would be making the ... server initiates another connection to the client -- in this ...
    (Debian-User)