Militantly FREE software support.
Militantly FREE software support.
NavigationUser loginSpam?See spam posts on this site? If so, please don't reply to the spam! Instead, just report the URL to the webmaster. |
Iptables and FTP problemhello I want to my LAN users use ftp clinets in ACTIVE mode. ***nat ***filter ************* -- Bookmark/Search this post with: 
|
• Debian Weekly News - Essential reading for any Debian fan. • Documentation - Debian's own authoritative documentation, including installation docs. • FAQ - Got questions about Debian GNU/Linux? • From Windows to Debian - Tips for converting from Windows to Debian GNU/Linux • Package of the Day. • Security - Security information and alerts! • Bug System - Bug tracking and instructions on reporting bugs. • CD Images - Where/how to get Debian GNU/Linux CD images. • Mailing List Subscription - Dozens of Debian-specific support mailing lists! • Mailing List Archives - Searchable archives of Debian's mailing lists. • Free Software Guidelines - Learn Debian's idea of what "free" software really is. • Package Listings - A very valuable tool: searchable, integrated with bug reports. • Apt-Get Sources - Sources for *.debs which are not official Debian packages. • Backports - Unofficial new software packages that have been "back-ported" to work with the Debian stable/official release. • Developer's Corner - Info about the people behind Debian, policies, and how to package *.deb files.
Iptables and FTP problem
you need to allow port 20 for the data connection.
phil
On 9/1/2007 4:52 AM, Mahdi Rahimi wrote:
> hello
> I have problem in our clients's outside ftp access via debian.
> My LAN users can't start data transfer to outside FTP servers, but they
> can establish connection to port 21 on the outside ftp server.
>
> I want to my LAN users use ftp clinets in ACTIVE mode.
> my rules:
>
> ***nat
> -A PREROUTING -i $LAN -s 192.168.1.0/26 -p tcp -m multiport --dport 21 -j
> ACCEPT
> -A POSTROUTING -s 192.168.1.0/26 -d 0/0 -o eth1 -j MASQUERADE
>
> ***filter
> -A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> *************
> modprobe ip_conntrack_ftp , ip_conntrack, ip_nat_ftp
>
>
>
>
>
--
Iptables and FTP problem
thanks phil
But i think the port 20 is in RELATED state and no connection need to be
established. module ip_conntrack_ftp must correct this problem.
And i also read previous posts in this mailing-list, but can't solve problem.
My debian server wants connect to other FTP servers (OUTSIDE) only in
PASSIVE mode only and only !!!!!!!! and while(when) i forward client's
sport 1024:65535 to server's dport 1024:65535 the problem was solved, but
i can't open these port and forwrad them. i want only Active mode(Standard
mode)
My NAT(PREROUTING) and Filter table default Policy is DROP.
thanx
On Sat, September 1, 2007 19:42, Phil Dyer wrote:
> you need to allow port 20 for the data connection.
>
> phil
>
>
> On 9/1/2007 4:52 AM, Mahdi Rahimi wrote:
>
>> hello I have problem in our clients's outside ftp access via debian.
>> My LAN users can't start data transfer to outside FTP servers, but they
>> can establish connection to port 21 on the outside ftp server.
>>
>> I want to my LAN users use ftp clinets in ACTIVE mode.
>> my rules:
>>
>> ***nat
>> -A PREROUTING -i $LAN -s 192.168.1.0/26 -p tcp -m multiport --dport 21
>> -j
>> ACCEPT
>> -A POSTROUTING -s 192.168.1.0/26 -d 0/0 -o eth1 -j MASQUERADE
>>
>>
>> ***filter
>> -A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state
>> --state NEW,ESTABLISHED,RELATED -j ACCEPT
>> -A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>>
>>
>> *************
>> modprobe ip_conntrack_ftp , ip_conntrack, ip_nat_ftp
>>
>>
>>
>>
>>
>
>
> --
Iptables and FTP problem
Nope. Your rule says to allow related,established on port 21. It doesn't
apply to port 20. Add a log rule to see what's being dropped.
You can remove the --sport 21 and just allow in ANY established,related
and that should work.
phil
On 9/1/2007 7:36 AM, Mahdi Rahimi wrote:
> thanks phil
> But i think the port 20 is in RELATED state and no connection need to be
> established. module ip_conntrack_ftp must correct this problem.
[snip]
>>> ***filter
>>> -A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state
>>> --state NEW,ESTABLISHED,RELATED -j ACCEPT
>>> -A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT
>>>
>
--
Iptables and FTP problem
my rule:
-A FORWARD -i $LAN -o $EXT -m state --state NEW,ESTABLISHED,RELATED -p
tcp --dport 21 -j ACCEPT
"don't work. because it try to connect via port 5050 an so to Server and
not 21 !!!!"
-A FORWARD -i $EXT -o $LAN -m state --state ESTABLISHED,RELATED -p tcp
-j ACCEPT
can't solve problem.
On Sat, September 1, 2007 20:56, Phil Dyer wrote:
> Nope. Your rule says to allow related,established on port 21. It doesn't
> apply to port 20. Add a log rule to see what's being dropped.
>
> You can remove the --sport 21 and just allow in ANY established,related
> and that should work.
>
> phil
>
> On 9/1/2007 7:36 AM, Mahdi Rahimi wrote:
>
>> thanks phil But i think the port 20 is in RELATED state and no
>> connection need to be established. module ip_conntrack_ftp must correct
>> this problem.
>
> [snip]
>
>
>>>> ***filter
>>>> -A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m
>>>> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>>>> -A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
>>>> ESTABLISHED,RELATED -j ACCEPT
>>>>
>>>>
>>
>
>
> --
Iptables and FTP problem
hello,
##Control connection ( port 21)
-A FORWARD -i $LAN -o $EXT -m state --state NEW,ESTABLISHED,RELATED -p
tcp -m multiport --dports 21 -j ACCEPT
-A FORWARD -i $EXT -o $LAN -m state --state ESTABLISHED,RELATED -p tcp
-m multiport --sports 21 -j ACCEPT
##Data connection
-A FORWARD -i $EXT -o $LAN -p tcp -m state --state RELATED,ESTABLISHED
-j ACCEPT
-A FORWARD -i $LAN -o $EXT -m state --state ESTABLISHED -p tcp -j ACCEPT
FORWARD default policy is DROP
------------------
With this rules i can't start data connection but control connection work in
Active ftp (standard mode)
My server try to work in passive mode because try to connect the ftp
server via port > 1024 such as 5049, .... after control connection for
data transfer
thanx
--
Iptables and FTP problem
my Rules for passive FTP look like this and works without problem but i
want to my LAN works in active ftp.
###control connection
$IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport 21
-m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $EXT --sport 21 -d $LAN --dport 1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
###data connection
$IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport
1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $EXT --sport 1024:65535 -d $LAN --dport
1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
--
RE: Iptables and FTP problem
To use active FTP, try setting this option in your ftp client. Most
clients work standard in passive, but there must be an option to
change that.
edit: forgot sending to the list.
On 9/2/07, Mahdi Rahimi wrote:
>
> my Rules for passive FTP look like this and works without problem but i
> want to my LAN works in active ftp.
>
> ###control connection
> $IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport 21
> -m state --state NEW,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -s $EXT --sport 21 -d $LAN --dport 1024:65535
> -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ###data connection
> $IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport
> 1024:65535
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -s $EXT --sport 1024:65535 -d $LAN --dport
> 1024:65535
> -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>
>
>
>
> --
RE: Iptables and FTP problem
hello, dears
I decide to set my firewalls ruls to passive mode that I sent in pervious
post
and my client set your ftp-client to active or work with IE in passwive mode.
Thanx alot for all.
--
Iptables and FTP problem
Mahdi Rahimi a écrit :
> my Rules for passive FTP look like this and works without problem but i
> want to my LAN works in active ftp.
>
> ###control connection
> $IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport 21
> -m state --state NEW,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -s $EXT --sport 21 -d $LAN --dport 1024:65535
> -m state --state RELATED,ESTABLISHED -j ACCEPT
RELATED is not needed for the control connections.
> ###data connection
> $IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport
> 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -s $EXT --sport 1024:65535 -d $LAN --dport
> 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
This is getting confusing. In your previous messages, $LAN and $EXT were
used in -i and -o options, meaning they contain interface names. Now
they are used in -s and -d options, meaning they contain addresses or
network address prefixes. So what are $LAN and $EXT ?
Assuming that $LAN and $EXT contain network prefixes (respectively
192.168.1.0/26 and 0.0.0.0/0 according to you previous messages), you
need to add the following rules in order to allow transfers in active mode :
$IPTABLES -A FORWARD -p tcp -s $EXT --sport 20 -d $LAN \
--dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT \
--dport 20 -m state --state ESTABLISHED -j ACCEPT
However I recommend filtering at least on the input interface and not
only on the source address, because the source address can be forged.
--
Iptables and FTP problem
Hello,
Mahdi Rahimi a écrit :
>
> My NAT(PREROUTING) and Filter table default Policy is DROP.
Bad idea. The nat table is not intended for filtering. Just leave the
nat table chains default policies to ACCEPT, and do the filtering in the
filter table chains.
>>>hello I have problem in our clients's outside ftp access via debian.
>>>My LAN users can't start data transfer to outside FTP servers, but they
>>>can establish connection to port 21 on the outside ftp server.
>>>
>>>I want to my LAN users use ftp clinets in ACTIVE mode.
>>>my rules:
>>>
>>>***nat
>>>-A PREROUTING -i $LAN -s 192.168.1.0/26 -p tcp -m multiport --dport 21
>>>-j ACCEPT
As I said above, the nat table is not intended for filtering, and it is
a bad idea to filter in the nat table.
>>>-A POSTROUTING -s 192.168.1.0/26 -d 0/0 -o eth1 -j MASQUERADE
>>>
>>>***filter
>>>-A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state
>>>--state NEW,ESTABLISHED,RELATED -j ACCEPT
>>>-A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
>>>ESTABLISHED,RELATED -j ACCEPT
>>>
>>>*************
>>>modprobe ip_conntrack_ftp , ip_conntrack, ip_nat_ftp
In order for active FTP transfers to work, you need to :
- accept the control connection (port 21) NEW and ESTABLISHED packets
from inside to outside ; OK, done in the first rule in FORWARD ;
- accept the control connection ESTABLISHED packets from outside to
inside ; OK, done in the second FORWARD rule ;
- accept the data connection RELATED and ESTABLISHED packets from
outside to inside ; KO, not done in either rule ;
- accept the data connection (port != 21) ESTABLISHED packets from
inside to outside ; KO, not done in either rule.
The rule
-A FORWARD -i $EXT -o $LAN -m state --state ESTABLISHED,RELATED \
-p tcp -j ACCEPT
alone won't solve the problem because it accepts only data connection
packets from outside to inside ; packets from inside to outside are
still dropped. So you also need something like
-A FORWARD -o $EXT -i $LAN -m state --state ESTABLISHED \
-p tcp -j ACCEPT
--
Iptables and FTP problem
-A FORWARD -i $LAN -o $EXT -m state --state NEW,ESTABLISHED,RELATED -p
tcp --dport 21 -j ACCEPT
-A FORWARD -i $EXT -o $LAN -m state --state ESTABLISHED,RELATED -p tcp
--sport 21 -j ACCEPT
I don't have data transfer with this rules!!!
-------------------------
rahimi{at}eaedu.net
rahimi_m{at}cse.shirazu.ac.ir
--
Iptables and FTP problem
may you must change FORWARD with ACCEPT to allow transfer on that port.
Greets
On 9/1/07, Mahdi Rahimi wrote:
>
>
> -A FORWARD -i $LAN -o $EXT -m state --state NEW,ESTABLISHED,RELATED -p
> tcp --dport 21 -j ACCEPT
>
> -A FORWARD -i $EXT -o $LAN -m state --state ESTABLISHED,RELATED -p tcp
> --sport 21 -j ACCEPT
>
> I don't have data transfer with this rules!!!
>
> -------------------------
> rahimi{at}eaedu.net
> rahimi_m{at}cse.shirazu.ac.ir
>
>
> --
ssl/tls and ftp client logs
two thoughs as i came accross some problems by myself:
1) is ssl/tls enabled on the server? if so, the ip_conntrack_ftp will not be able to parse the network traffic
2) if you provide the ftp client logs (please do not c/p the real and username, password) chances might that the problem can be spotted faster