FTP and IPTABLES Question

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MCraig White at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: David Demland
Date:  
To: Plug-Discuss
Subject: FTP and IPTABLES Question
I have a Debian router that is running iptables. Whenever I use an FTP
client from a system behind the router I get an invalid port error. When I
use the FTP client on the router it works fine. This leads be to believe I
do not have something passing through the router properly. I have looked on
the internet and found information about passing through passive and active
FTP using IPTABLES and I have modified by script by inserting the following:

#load any modules needed for connection tracking
#allow passive ftp
UP_PORTS="1024:65535"
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
echo "Started Connection Tracking"

## FTP
# Allow ftp outbound.
#

echo Setting up FTP Outbound....
iptables -A INPUT -i $INET_IFACE -p tcp --sport 21 -m state --state
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $INET_IFACE -p tcp --dport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT

#
# Now for the connection tracking part of ftp. This is discussed more
# completely in the section on connection tracking on
# the page http://www.sns.ias.edu/~jns/security/iptables/
# 1) Active ftp.
# This involves a connection INbound from port 20 on the remote machine, to
a
# local port passed over the ftp channel via a PORT command.
# The ip_conntrack_ftp module recognizes the connection as RELATED to the
# original outgoing connection to port 21 so we don't need NEW as a state
match.
#

iptables -A INPUT -i $INET_IFACE -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $INET_IFACE -p tcp --dport 20 -m state --state
ESTABLISHED -j ACCEPT

#
# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local
machine,
# to a port >1023 on the remote machine previously passed over the ftp
channel
# via a PORT command. The ip_conntrack_ftp module recognizes the connection
as
# RELATED to the original outgoing connection to port 21 so we don't need
NEW
# as a state match.
#

iptables -A INPUT -i $INET_IFACE -p tcp --sport $UP_PORTS --dport
$UP_PORTS -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $INET_IFACE -p tcp --sport $UP_PORTS --dport
$UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT

Yet I can not get the FTP to pass through the router. What am I missing?

Thank You,

David Demland

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: good Linux security book/guideRe: FTP and IPTABLES Question->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)