Re: rules for FTP access

To: debian-firewall@lists.debian.org
Subject: Re: rules for FTP access
From: Fabrizio Sannicolo' <fabrizio.sannicolo@gmail.com>
Date: Fri, 02 Sep 2005 08:53:30 +0200
Message-id: <[🔎] 4317F6EA.4090603@gmail.com>
Reply-to: fabrizio.sannicolo@gmail.com
In-reply-to: <[🔎] 20050901131554.A7655@planetcobalt.net>
References: <4315ABA9.2000201@gmail.com> <1125520713.4575.3.camel@localhost.localdomain> <[🔎] 4316A329.9030508@gmail.com> <[🔎] 20050901073115.GA29983@lia.ch> <[🔎] 20050901131554.A7655@planetcobalt.net>

Ansgar -59cobalt- Wiechers wrote:

>> On 2005-09-01 Stephan Balmer wrote:
>>
>
>>>>>>but, once I have loaded contrack ftp modules and I want to permit ftp
>>>>>>client connections from my private subnet, which is behind eth1, to
>>>>>>Internet through eth0, I should do:
>>>>>>
>>>>>>iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 20:21 -j ACCEPT
>>
>>>>
>>>>Yes, that should work.
>
>>
>>
>> No. He would need either
>>
>> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
>> iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 20 -j ACCEPT
>>
>> or
>>
>> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
>> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 1024: -j ACCEPT
>>
>> The former is for active FTP, the latter for passive FTP. I *strongly*
>> recommend avoiding both and use connection tracking instead.
>>
>>
>
>>>>But as others have pointed out, this is good for passive FTP-
>>>>connections only, if your clients want to use active FTP, you need
>>>>connection tracking (look for a kernel module ip_conntrack_ftp).
>
>>
>>
>> Wrong. Port 20/tcp on the server is *only* needed for *active* FTP (and
>> would then have to be a --sport anyway, since the server initiates the
>> data connection). Passive FTP uses TCP ports above 1023 for the data
>> connection, which is initiated by the client. However, with connection
>> tracking enabled,


thus, if I understand right, it is enought that I include the lines
below in my iptables script:

$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -m state --state
NEW -j ACCEPT

thank you very much, fabrizio.

 you only need to allow 21/tcp for either active and

>> passive FTP, since the data connection will be RELATED to the already
>> ESTABLISHED control connection.
>>
>>
>
>>>>In most cases, it's far easier and secure to configure your clients to
>>>>use pasive mode than to fiddle with conntrack, many clients work
>>>>passive by default.
>
>>
>>
>> Without connection tracking that'll work only if you allowed outbound
>> connections to non-privileged ports.
>>
>>
>
>>>>Active FTP vs. Passive FTP, a Definitive Explanation:
>>>>http://slacksite.com/other/ftp.html
>
>>
>>
>> May I suggest you re-read that page yourself?
>>
>> Regards
>> Ansgar Wiechers

Reply to:

References:
- Re: rules for FTP access
  - From: Fabrizio Sannicolo' <fabrizio.sannicolo@gmail.com>
- Re: rules for FTP access
  - From: Stephan Balmer <sb@lia.ch>
- Re: rules for FTP access
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>

Prev by Date: Re: rules for FTP access
Next by Date: Re: rules for FTP access
Previous by thread: Re: rules for FTP access
Next by thread: Re: rules for FTP access
Index(es):
- Date
- Thread