FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 12-05-2008, 09:30 PM
"Robert L. Harris"
 
Default iptables, ftp and dnat?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Alex Samad wrote:
> Hi
>
> You should try and keep this on list

Sorry, hit reply instead of reply all.

>
>
> Alex
>
>
> On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote:
>
>
>
>> [snip]
>
> I've updated my rules to this: # # allow ftpd HARVARD="10.1.1.32"
> /sbin/modprobe nf_conntrack_ftp # General iptables -I INPUT -m
> state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p
> tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD
> -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A
> PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21
>
> I think I confused myself though, do I need the other rules I had
> for port 20 or will the first INPUT rule above cover that?
>
>> have a look here http://slacksite.com/other/ftp.html (quick
>> google on ftp & ports).
>
>> It shows you how the ports are used for ftp.
>
>> The ftp contrack module that you where loading previous should
>> handle the "related" ports and allow them through, what I am not
>> sure
> about is
>> weather it will handle the dnat'ing of those port. But then
>> again you could specify passive ftp only
>
>> here is another link
>> http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again
> google).
>
>
>> My strength is in itables not ftp (which is the reason for
> googling )
>
>> Also anything to do with iptables and firewalls you should
> probably read
>> a tutorial on iptables
>

I've read both of those and understand how the ftp works. I've
spent the last 2 days googling.
Unfortunately it's all working now except how to get the iptables data
connection in passive
mode working. I can log in, etc just fine but when I do a "ls" after
issuing the "passive"
command it times out.

The second example looks good but doesn't handle the DNAT (the ftp
server is running on
another machine behind my firewall.

Robert



- --

:wq!
================================================== ==================
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJOat68+1vMONE2jsRAuFiAJ4tZUiKdn1pVMTVJooRjc pMWsHUgQCfTggd
c08luNBZJjlIvtBgRnoR5+I=
=ZWjq
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-06-2008, 08:54 AM
Alex Samad
 
Default iptables, ftp and dnat?

On Fri, Dec 05, 2008 at 03:30:19PM -0700, Robert L. Harris wrote:

[snip]

> >
> >> here is another link
> >> http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again
> > google).
> >
> >
> >> My strength is in itables not ftp (which is the reason for
> > googling )
> >
> >> Also anything to do with iptables and firewalls you should
> > probably read
> >> a tutorial on iptables
> >
>
> I've read both of those and understand how the ftp works. I've
> spent the last 2 days googling.
> Unfortunately it's all working now except how to get the iptables data
> connection in passive
> mode working. I can log in, etc just fine but when I do a "ls" after
> issuing the "passive"
> command it times out.
>
> The second example looks good but doesn't handle the DNAT (the ftp
> server is running on
> another machine behind my firewall.

What I do to track down iptables problems is (if you have access to all
3 machines, client server and firewall). Dump on all 3 machines,
something like

tcpdump -pni <eth?> -s 1500 -w /tmp/trace.dmp host <client ip> and host
<server ip>

client and server ip will vary depending on which machine you are on
(natting).

Also just before the drop statement in you iptables chain, put a line
which logs the packets.

These way you can see what is going on and create some rules to fix it.

But maybe another solution is to use a ftp proxy ? (ftp-proxy) - never
used it ? to get around the active passive port problem



>
> Robert
>
>
>
> - --
>
> :wq!
> ================================================== ==================
> Robert L. Harris | GPG Key ID: E344DA3B
> @ x-hkp://pgp.mit.edu
> DISCLAIMER:
> These are MY OPINIONS With Dreams To Be A King,
> ALONE. I speak for First One Should Be A Man
> no-one else. - Manowar
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iD8DBQFJOat68+1vMONE2jsRAuFiAJ4tZUiKdn1pVMTVJooRjc pMWsHUgQCfTggd
> c08luNBZJjlIvtBgRnoR5+I=
> =ZWjq
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
Tsort's Constant:
1.67563, or precisely 1,237.98712567 times the difference between
the distance to the sun and the weight of a small orange.
-- Terry Pratchett, "The Light Fantastic" (slightly modified)
 
Old 12-07-2008, 06:45 AM
Tommy Bongaerts
 
Default iptables, ftp and dnat?

On Fri, Dec 05, 2008 at 03:30:19PM -0700, Robert L. Harris wrote:

> I've read both of those and understand how the ftp works. I've
> spent the last 2 days googling.
> Unfortunately it's all working now except how to get the iptables data
> connection in passive
> mode working. I can log in, etc just fine but when I do a "ls" after
> issuing the "passive"
> command it times out.
>
> The second example looks good but doesn't handle the DNAT (the ftp
> server is running on
> another machine behind my firewall.

It hangs after ls? Sounds like your data traffic gets jammed somehow.

Some things to consider:
- did you open up the data port (this is control port minus 1)?
- did you open some ports for the passive connection?
- did you tell this to your server?
- does the NAT machine translate the ftp packets properly?

If you're using proftpd you may try set following directives in the
config:

PassivePorts <range>
MasqueradeAddress <wan IP NAT/firewall machine>

I had the exact same problem, and this fixed it for me.

--
Good day for a change of scene. Repaper the bedroom wall.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-07-2008, 03:48 PM
"Robert L. Harris"
 
Default iptables, ftp and dnat?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Tommy Bongaerts wrote:
> On Fri, Dec 05, 2008 at 03:30:19PM -0700, Robert L. Harris wrote:
>
>> I've read both of those and understand how the ftp works. I've
>> spent the last 2 days googling. Unfortunately it's all working
>> now except how to get the iptables data connection in passive
>> mode working. I can log in, etc just fine but when I do a "ls"
>> after issuing the "passive" command it times out.
>>
>> The second example looks good but doesn't handle the DNAT (the
>> ftp server is running on another machine behind my firewall.
>
> It hangs after ls? Sounds like your data traffic gets jammed
> somehow.
>
> Some things to consider: - did you open up the data port (this is
> control port minus 1)? - did you open some ports for the passive
> connection? - did you tell this to your server? - does the NAT
> machine translate the ftp packets properly?
>
> If you're using proftpd you may try set following directives in the
> config:
>
> PassivePorts <range> MasqueradeAddress <wan IP
> NAT/firewall machine>
>
> I had the exact same problem, and this fixed it for me.
>

I'm not doing any outbound blocking and i'm trying to figure out the
syntax for the data port now.
What I have is a real mess and not working. In Proftpd I have tried
the PassivePorts but it seems to
be ignored but the Masq directive is being picked up. I have this in
my config:

# These ports should be safe...
PassivePorts 60000 65535

when I connect I'm getting this on the server side:

{0}:/home/robert>lsof -i -n | grep -i ftp
proftpd 568 nobody 0u IPv4 447049808 TCP *:ftp (LISTEN)
proftpd 578 robert 0u IPv4 447049865 TCP
10.1.1.32:ftp->98.244.36.35:41893 (ESTABLISHED)
proftpd 578 robert 1u IPv4 447049865 TCP
10.1.1.32:ftp->98.244.36.35:41893 (ESTABLISHED)


Can you paste me your data port lines? If I can get either dynamic
ports working or limited ports, I'll work with
it.

Robert




- --

:wq!
================================================== ==================
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJO/5o8+1vMONE2jsRAsW5AJwNag5H7OOmUy0nKbGLNO61hzSHAQCg kFJ8
BESrRruopzd0cd3Li3+ttUo=
=GTph
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-07-2008, 06:35 PM
Anoop Aryal
 
Default iptables, ftp and dnat?

> > It hangs after ls? Sounds like your data traffic gets jammed
> > somehow.
> >

I know I'm jumping in halfway thru the conversation so this might have
already been mentioned. But you may want to check if the firewall is
blocking ICMP packets preventing PMTU being figured out correctly. The
scenerio you're describing sounds too much like the case of
'Fragmentation needed but DF flag is set'. Letting the right ICMP
packets (4/3, I believe) thru in your firewall usually solves these
problems.

anoop.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-09-2008, 10:18 AM
Adam Hardy
 
Default iptables, ftp and dnat?

Robert L. Harris on 05/12/08 20:35, wrote:

Can I suggest something like this



# one catch all for all related and established connection # as defined
by connection tracking iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT



iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21

I am not sure if you need the other ports for active as the conn track
module should handle that for you (works on out going not 100% sure on
incoming). You need the forward statement you could add a -d 10.1.1.32,

because the

DNAT makes it a routed packet. you can test this with tcpdump -pni
<interface> -port 21 or host <host ip> alex




Using your rule I get this:

iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' Try `iptables
-h' or 'iptables --help' for more information.

Commenting it out, everything looks good until after I log in and try to do
an "ls" when it returns: ftp> ls 227 Entering Passive Mode
(10,1,1,32,205,208).

Then nothing.


I think Alex just forgot the '--state'. Try this:

# Allow all ESTABLISHED and RELATED
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# use this for some logging of what you drop:
iptables -A INPUT -j LOG --log-prefix "dropped from INPUT "
iptables -A FORWARD -j LOG --log-prefix "dropped from FORWARD "

# change policies of INPUT and FORWARD to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP


Plus I agree with Anoop about the ICMP - you don't want to drop that stuff, it
will cause chaos. Took me ages to figure it out. I use this:


# Work around for stupid websites blocking ICMP (just for normal surfing)
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu


# Allow ICMP for frag notification
# --icmp-type 8 = ping
iptables -t filter -A INPUT -p icmp -s 0/0 -d $ip_eth2 -m state --state NEW -j
ACCEPT



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 06:58 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org