Re: Iptables FTP question

From: Maxime Ducharme (maxime_at_pandore-designSPAMISBAD.com)
Date: 10/24/03 

Date: Fri, 24 Oct 2003 09:42:40 -0400

"Peter Eberz" <peter.eberz@gmx.net> wrote in message
news:pan.2003.10.23.18.23.45.744726@gmx.net...
> Hello Maxime,

Hi again Peter

> beside others I do have the following modules loaded:
>
> $MODPROBE ip_conntrack
> $MODPROBE ip_conntrack_ftp
> $MODPROBE iptable_nat
> $MODPROBE ip_nat_ftp

thats ok

>
> My version of IPTABLES is: iptables v1.2.7a
>

it is ok too

> It is not that I do not get it working, I am looking for a way how to
> write a more strict rule.
> I read the documentation you mentioned and I think I understood it.
>
> I am looking for a rule somehow like this:
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p TCP --dport 21 \
> -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p TCP --sport 21 \
> -m state --state RELATED,ESTABLISHED -j ACCEPT
>

this rule is not OK for data connection

Active connection will have a high numbered port on the client, from source
port 20 of the server. Passive connection doesnt include neither port 20
or 21, they are dynamically assigned ports passed by in the control
connection of the FTP protocol.

iptables ftp tracking module read these ports in order to temporarly
open to good port and validfate source port & host.

> Since the RELATED does not match the data connection I removed it from the
> rule and handle the related traffic, which is ICMP via a separate rule.
> Somehow the FTP data connection (to or from port 20 depending on active or
> passive FTP) is not marked as a related packet to the connection
> established from port 21.

as I said, there will be no port 20 in passive connections, only on active
connections

Thats why -sport 21 isnt good, it must ESTABLISHED only

> For me it seems that the iptables first checks for the specified protocol
> and source or destination port specified before it continues further
> checking in the state module. Am I right with this assumption?

hmm i'm not sure to understand this ....

iptables would check the ports involved in the control connection of
ftp, and open the good port for a specific period of time

ex: 10.1.1.2 connects to 10.1.1.3 in passive mode

10.1.1.2:5649 -> 10.1.1.3:21
<Control conn. : user auth>
<Control conn. : PASV requested>
<Control conn. : port exchange here, the server tells the client which
  passive port to use, lets say 43563>
10.1.1.2:5650 -> 10.1.1.3:43563
<Control conn. : dir listing asked>
<Data conn : dir listing itself>
 <close data conn>
...

When a file or another dir listing is asked by the client,
the same process goes on and both source & dest ports
will change in PASV mode. You really need to FTP module
in iptables or you need to manually configure port ranges
for both active & passive mode, which leads to possible
security holes since ports are opened even if not needed.

> When I create the following additional rules.
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p TCP -m state \
> --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p TCP -m state \
> --state RELATED,ESTABLISHED -j ACCEPT
> Here I only check for the TCP protocol and not for any ports which is
> matched in this case and RELATED or ESTABLISHED packets will be passed.
> Here the FTP data connection is recognized as related.
>

yes, something you can try is Ethereal from www.ethereal.com
and sniff connections going on when you use FTP on a host.

Try both active & passive modes.

> I would like to define a more strict rule since the last once allow any
> TCP traffic and not only ftp traffic which is related or established to
> pass.

I suggesto to create rules for FORWARD chains that filters
when going out (allow web, ftp, and drop the rest)

And allow established connection for INTIF.

> Am I to paranoic to define the rules always with source and destination
> port?

I think this setup is more difficult to configure, but it is safer
than allowing anything to go out. It prevents alot of malware /
trojan / viruses from working, which is good.

> Do I have to give it up when I want to use FTP?
>

I'd say no :) don't give up

> Bye,
> Peter
>

Ciao

Hope it helps

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur

Relevant Pages

  • RE: Telnet/ftp problems SBS2000
    ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ...
    (microsoft.public.windows.server.sbs)
  • Re: portknocking question
    ... This is nice but still requires closing the port as a step when done. ... you can use a time out with the relevant iptables command ... You can easily close the connection automatically. ... In that example, any existing ssh connection, for example, will continue ...
    (Ubuntu)
  • Re: IPSwitch, Inc. WS_FTP Server
    ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
    (Bugtraq)
  • RE: FTP Window of opportunity?
    ... target on the line when in reality it was just a firewall lying to them. ... The connection connects and then immediately ... Subject: FTP Window of opportunity? ... the FTP port shows up. ...
    (Pen-Test)
  • Re: Iptables FTP question
    ... think all other related would be from specific modules,the FTP and IRC ... Keep in mind that connection ... source port of 20 if it is for port mode data connections(for a standard ... I would also break down your rules into chains instead of appending such ...
    (comp.security.firewalls)