Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Write an article for LinuxForums Today! Win Great Prizes!
I am using the following iptables config on a fedora 11 server that is behind a Cisco firewall. I am having issues getting both an ftp client as well as command line to list the directory contents.
As soon as I take off iptables, I can connect and list using a passive FTP client, but still not with a command line active ftp list.
If I take out the Cisco firewall (connect from the LAN) I can get both to work with the iptables settings I have.
Can someone please help me to figure this out?
iptables config:
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
One other note. If I add the NEW state to the input as shown below, it will also work for the FTP client passive connection from the WAN. Still no luck on the active though.
Code:
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I am using the following iptables config on a fedora 11 server that is behind a Cisco firewall. I am having issues getting both an ftp client as well as command line to list the directory contents.
As soon as I take off iptables, I can connect and list using a passive FTP client, but still not with a command line active ftp list.
If I take out the Cisco firewall (connect from the LAN) I can get both to work with the iptables settings I have.
Can someone please help me to figure this out?
I'll try.
Quote:
iptables config:
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Try this firewall it is a lot cleaner.
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
You don't need all the rubbish you have in your rules as it really doesn't help anything and is more confusing then anything.
OK, what is 4422 and 2121 used for? are these the ports that you want to connect ssh and ftp through? If so then you need to change your rules in iptables to use the same ports or you are going to have to REDIRECT them on the system to the correct ports.
One more thing you should do is activate ftp tracking to track Active and Passive connections. This can be done by editing iptables-config and change
Tried the new iptables. Much cleaner for sure. Still though it does not connect externally without this one line. It is working now without the NEW state though, which is one thing I was looking for. I'm sure that it might be able to be cleaner
Code:
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
Yes, we are using 4422 that has a PAT to port 22 on the inside of the Cisco. Same with 2121 PAT to port 21 on the inside.
Do I need to change the iptables entry if the Cisco router does the port address trans?
Tried the new iptables. Much cleaner for sure. Still though it does not connect externally without this one line. It is working now without the NEW state though, which is one thing I was looking for. I'm sure that it might be able to be cleaner
Code:
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
What is not working and what port are you connecting to on the server?
Quote:
Yes, we are using 4422 that has a PAT to port 22 on the inside of the Cisco. Same with 2121 PAT to port 21 on the inside.
Do I need to change the iptables entry if the Cisco router does the port address trans?
No, you should not have to.
Quote:
I also added the iptables-config entry
Code:
IPTABLES_MODULES="ip_conntrack_ftp"
OK, don't forget to modprobe it as it needs to get loaded. The above will only load ity when iptables is restarted.
What is not working and what port are you connecting to on the server?
It works to connect to port 2121 for ftp, and it logs in fine. When I try to do a list in passive mode, it hangs and then fails. With the line below in, it works.
Code:
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
Quote:
Originally Posted by Lazydog
No, you should not have to.
Indeed.
Quote:
Originally Posted by Lazydog
OK, don't forget to modprobe it as it needs to get loaded. The above will only load ity when iptables is restarted.
I have restarted it a lot trying to get this to work properly.
It works to connect to port 2121 for ftp, and it logs in fine. When I try to do a list in passive mode, it hangs and then fails. With the line below in, it works.
Code:
-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
Not understanding why you need this one. This line applies to already built connections and the line this line should work;
Code:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Your line looks at protocol and ports where mine doesn't care. If yours is working then my line should be working also.
There is something else here from your end that is not being told.
Open Source Security Myths Dispelled Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization subscribe
InformationWeek InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology. subscribe
Redhat / Fedora Linux Help Help and discussion related to Redhat and Fedora Linux.
Submit Your Article
Latest Articles
Editor's Choice
Article Categories
Join Linux Forums Today
Win Great Prizes
Linear Mode
