IPtables

[FawnOfFeist]

I am using the following iptables config on a fedora 11 server that is behind a Cisco firewall. I am having issues getting both an ftp client as well as command line to list the directory contents.

As soon as I take off iptables, I can connect and list using a passive FTP client, but still not with a command line active ftp list.

If I take out the Cisco firewall (connect from the LAN) I can get both to work with the iptables settings I have.

Can someone please help me to figure this out?

iptables config:

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -s 0/0 --sport 1024:65535  --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535  --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp  --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Cisco:

Code:

access-list all_in extended permit tcp any host 98.76.54.32 eq 4422
access-list all_in extended permit tcp any host 98.76.54.32 eq 2121
static (inside,outside) tcp 98.76.54.32 citrix-ica 192.168.5.103 citrix-ica netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 3389 192.168.5.103 3389 netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 smtp 192.168.5.83 smtp netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 www 123.45.67.89 www netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 4422 123.45.67.89 ssh netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 2121 123.45.67.89 ftp netmask 255.255.255.255

One other note. If I add the NEW state to the input as shown below, it will also work for the FTP client passive connection from the WAN. Still no luck on the active though.

Code:

-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

[Lazydog]

I am using the following iptables config on a fedora 11 server that is behind a Cisco firewall. I am having issues getting both an ftp client as well as command line to list the directory contents.

As soon as I take off iptables, I can connect and list using a passive FTP client, but still not with a command line active ftp list.

If I take out the Cisco firewall (connect from the LAN) I can get both to work with the iptables settings I have.

Can someone please help me to figure this out?

I'll try.

iptables config:

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -s 0/0 --sport 1024:65535  --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535  --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp  --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Try this firewall it is a lot cleaner.

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

You don't need all the rubbish you have in your rules as it really doesn't help anything and is more confusing then anything.

Cisco:

Code:

access-list all_in extended permit tcp any host 98.76.54.32 eq 4422
access-list all_in extended permit tcp any host 98.76.54.32 eq 2121
static (inside,outside) tcp 98.76.54.32 citrix-ica 192.168.5.103 citrix-ica netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 3389 192.168.5.103 3389 netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 smtp 192.168.5.83 smtp netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 www 123.45.67.89 www netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 4422 123.45.67.89 ssh netmask 255.255.255.255
static (inside,outside) tcp 98.76.54.32 2121 123.45.67.89 ftp netmask 255.255.255.255

OK, what is 4422 and 2121 used for? are these the ports that you want to connect ssh and ftp through? If so then you need to change your rules in iptables to use the same ports or you are going to have to REDIRECT them on the system to the correct ports.

One more thing you should do is activate ftp tracking to track Active and Passive connections. This can be done by editing iptables-config and change

Code:

IPTABLES_MODULES=""

to include

Code:

IPTABLES_MODULES="ip_conntrack_ftp"

Or placing the following is a script that you run

Code:

/sbin/modprobe ip_conntrack_ftp

Here is a TUTORIAL for IPTABLES you can read

[FawnOfFeist]

Thanks for the reply!

Tried the new iptables. Much cleaner for sure. Still though it does not connect externally without this one line. It is working now without the NEW state though, which is one thing I was looking for. I'm sure that it might be able to be cleaner

Code:

-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

Yes, we are using 4422 that has a PAT to port 22 on the inside of the Cisco. Same with 2121 PAT to port 21 on the inside.

Do I need to change the iptables entry if the Cisco router does the port address trans?

I also added the iptables-config entry

Code:

IPTABLES_MODULES="ip_conntrack_ftp"

[FawnOfFeist]

Well, as stated above this is now working without the NEW state for the 1024 and up ports.

Active apparently is not going to function properly unless we have a 1-1 NAT, so I am really not too concerned about it.

If anyone else has any other suggestions they are welcome.

[Lazydog]

Thanks for the reply!

Tried the new iptables. Much cleaner for sure. Still though it does not connect externally without this one line. It is working now without the NEW state though, which is one thing I was looking for. I'm sure that it might be able to be cleaner

Code:

-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

What is not working and what port are you connecting to on the server?

Yes, we are using 4422 that has a PAT to port 22 on the inside of the Cisco. Same with 2121 PAT to port 21 on the inside.

Do I need to change the iptables entry if the Cisco router does the port address trans?

No, you should not have to.

I also added the iptables-config entry

Code:

IPTABLES_MODULES="ip_conntrack_ftp"

OK, don't forget to modprobe it as it needs to get loaded. The above will only load ity when iptables is restarted.

[FawnOfFeist]

What is not working and what port are you connecting to on the server?

It works to connect to port 2121 for ftp, and it logs in fine. When I try to do a list in passive mode, it hangs and then fails. With the line below in, it works.

Code:

-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

No, you should not have to.

Indeed.

OK, don't forget to modprobe it as it needs to get loaded. The above will only load ity when iptables is restarted.

I have restarted it a lot trying to get this to work properly.

[Lazydog]

It works to connect to port 2121 for ftp, and it logs in fine. When I try to do a list in passive mode, it hangs and then fails. With the line below in, it works.

Code:

-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

Not understanding why you need this one. This line applies to already built connections and the line this line should work;

Code:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Your line looks at protocol and ports where mine doesn't care. If yours is working then my line should be working also.

There is something else here from your end that is not being told.