Re: iptables blocking ftp clients

From: ujay (ujay50-NOSPAM-@shaw.ca)
Date: 03/21/02 

From: ujay <ujay50-NOSPAM-@shaw.ca>
Date: Thu, 21 Mar 2002 18:24:35 GMT

John Hunter wrote:

> I am running a zope FTP server on port 8021 on a host that is running
> an iptables firewall. Clients on the LAN behind the firewall can
> access the server fine, so there is no problem with the server.
> Clients on the internet cannot access the 8021 FTP server, because
> they are requesting high numbered ports > 1024 that are being dropped
> with packets like:
>
> Mar 20 21:13:53 localhost kernel: IPT DROP established_only: IN=eth0 OUT= MAC=00:a0:cc:e4:53:dc:00:90:b1:22:ec:00:08:00 SRC=128.135.97.130 DST=209.101.118.59 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=50113 DF PROTO=TCP SPT=60584 DPT=59294 WINDOW=5840 RES=0x00 SYN URGP=0
> Mar 20 21:13:54 localhost kernel: IPT DROP established_only: IN=eth0 OUT= MAC=00:a0:cc:e4:53:dc:00:90:b1:22:ec:00:08:00 SRC=128.135.97.130 DST=209.101.118.59 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=49392 DF PROTO=TCP SPT=60582 DPT=59293 WINDOW=5840 RES=0x00 SYN URGP=0
>
> I have tried ncftp and Internet Explere as ftp clients.
>
> I have ftp connection tracking enabled on the netfilter server; should
> I expect this to handle ftp requests made externally from a client
> that then spawns new ports? I am under the impression that this
> applies only to requests that originate internally, but am not sure.
>
> My established_only chain looks like:
>
> echo "Building user defined chains"
> $IPTABLES -N established_only
> $IPTABLES -A established_only -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A established_only -j LOG --log-prefix "IPT DROP established_only: "
> $IPTABLES -A established_only -j DROP
>
> Any suggestions on how I can get the 8021 ftp server working?
>
> Thanks,
> John Hunter
>
> RHL 7.1 with kernel 2.4.9
> Zope 2.5.x
>
>
>

It would seem that your problem is with passive mode FTP. Information
transfer is handled by the remote client sending a PORT command, which
the server will use for sending data to. These port ranges will be
->1024 on both client and server. You will need to allow input on
established,related ports. The ip_conntrack_ftp module will recognize
the ports as related due to the PORT command sent by the client.

Relevant Pages

  • Re: [fw-wiz] Variations of firewall ruleset bypass via FTP
    ... attack" isn't limited to "class of attack against FTP." ... > Client connects to server and logs on normally, ... > Client: CWD PORT 1,2,3,4,5,6\r\n ...
    (Firewall-Wizards)
  • Re: FTP Server setup... Im so close!
    ... > I have installed the Internet Information Services, etc, and have the FTP ... Your external client is trying to use Passive Mode. ... Since your server is behind NAT, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Unable to print to networked printer - get access denied messa
    ... Check the permissions on the server assuming the client has a true RPC ... How is the Standard TCP/IP port configured for the device? ...
    (microsoft.public.windowsxp.print_fax)
  • Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
    ... That's the problem tunneling (port forwarding) solves. ... >>can't get past the client firewall. ... > I don't understand why the server would be making the ... server initiates another connection to the client -- in this ...
    (Debian-User)
  • Re: Remote Connection Issue
    ... through port number 3389 and a workstation on the LAN through port number ... I understand that you want to allow a LAN client ... and you have configured server publishing rule ... > By default Terminal Server and Windows 2000 Terminal Services uses TCP ...
    (microsoft.public.windows.server.sbs)