NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2003-q3

Re: [suse-security] IPTABLES Rule for Passive FTP

From: Marc Samendinger (marc.samendingersp-online.de)
Date: Tue Jul 29 2003 - 08:32:51 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Knut Erik Hauslo [mailto:KNUTHvoelcker.com]
> Sent: Tuesday, July 29, 2003 2:57 PM
>
>
> Hi all,

Hi Knut,

> I need to create a rule with IPTABLES which only allows
> passive FTP. The
> following lines accomplishes this:
>
> set IPTABLES = "/usr/sbin/iptables"
> # Control Connection
> $IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport
> 1024:65535 --dport ftp -j ACCEPT
> # Data Connection
> $IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport
> 1024:65535 --dport 1024:65535 -j ACCEPT
>
> There are more rules than only the lines above, but they are
> intentionally left out.

No problem, should be enough :)

> My problem is, that this open the firewall from internal with source
> port >= 1024 and destination port >= 1024 which typicalliy is
> used only
> by passive ftp data connection. This behaviour is by
> recommendation not
> wanted.
>
> Is there a way to accomplish that data connection only be allowed when
> FTP control connection has taken place before hand?

Yep, my Rules for passive FTP look like this

$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 21
        -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $j --sport 21 -d $i --dport 1024:65535
         -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 1024:65535
        -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $j --sport 1024:65535 -d $i --dport 1024:65535
        -m state --state RELATED,ESTABLISHED -j ACCEPT

Where $i is the ftp client and $j the ftp server.
For this to work correctly you need to load the ftp conntrack
helper module.

> Cheers
> Knut Erik

HTH

marc

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]