FTP from AS-400

Syed Mohammad Talha Syed Mohammad Talha" <talha@cbq.com.qa
Mon, 15 Oct 2001 09:53:44 +0300 

Dear Martin,

Thanks for the reply, you are really informative. This is what I was trying
to say, actually I have a firewall based on specific ports allowed to
certain users and machines. So I did not allowed any of the ESTABLISHED and
RELATED traffic in forward chain from internal interface, where as I allowed
the ESTABLISHED and RELATED traffic from external interface to internal
interface, also dropping the NEW and INVALID traffic in the FORWARD chain
from external interface to internal interface; my rules looks like this

iptables -A FORWARD -i external_if -o internal_if  -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i external_if -o internal_if -m state --state
NEW,INVALID -j DROP

After this I am allowing ports to specific users, like

iptabels -A FORWARD -i internal_if -s <user_1> -p tcp -d
<certain_machine> --dport 20:21 -j ACCEPT

iptables -A FORWARD -i internal_if -s <user-2> -p tcp -d
<certain-machines> --dport 20:23 -j ACCEPT

similarly for AS-400 machine
iptables -A FORWARD -i internal_if -s <AS-400> -p tcp -d
<certain-machines> --dport 20:21 -j ACCEPT

and for general users like

iptables -A FORWARD -i intnetal_net -s <internal_net> -p tcp -d
<dmz> --dport 25 -j ACCEPT
iptables -A FORWARD -i intnetal_net -s <internal_net> -p tcp -d
<dms> --dport 110 -j ACCEPT
iptables -A FORWARD -i intnetal_net -s <internal_net> -p tcp -d
<any> --dport 80 -j ACCEPT
iptables -A FORWARD -i intnetal_net -s <internal_net> -p tcp -d
<any> --dport 443 -j ACCEPT

.........

In this secnario all the applied rules are working correctly and the other
users who are allowed for the FTP are working normally, but it did not
worked with the AS-400, which really made me confused, that is why I have
posted this question to the mailing list.

I am not allowing the users from internet or from any where else to get in
to my AS-400 system, through ftp or any mean. Only thing what I am looking
is the AS-400 can ftp some of the data from the Linux machine connected to
internet and . The rules which you have defined will give the complete
access to the AS-400 machine as well people can get into the AS-400 from
external_network which I don't want. So due you think in my case I should
use

iptables -A FORWARD -i external_if -s <AS-400>  -d <certain-machine. -m
state --state ESTABLISHED,RELATED -j ACCEPT
instead of
iptables -A FORWARD -i internal_if -s <AS-400> -p tcp -d
<certain-machines> --dport 20:21 -j ACCEPT

Talha

----- Original Message -----
From: "Martin Josefsson" <gandalf@wlug.westbo.se>
To: "Syed Mohammad Talha" <talha@cbq.com.qa>
Cc: "Philipp Snizek" <mailinglists@belfin.ch>; <netfilter@lists.samba.org>
Sent: Monday, October 15, 2001 12:05 AM
Subject: Re: FTP from AS-400


> On Sun, 14 Oct 2001, Syed Mohammad Talha wrote:
>
> > I have the firewall rule
> >
> > iptables -A FORWARD -i eth1 -s xx.xx.xx.xx -p tcp $any --dport 0:1023 -j
> > ACCEPT
> >
> > and what I think is that u are asking for
> >
> > iptables -A FORWARD -i eth1 -s xx.xx.xx.xx --sport 1024:65535 -p tcp
> > $any --dport 1024:65535 -j ACCEPT
> >
> > if correct please let me know
>
> Why don't the people in this thread go read up on the ftp/irc modules and
> the state match?
>
> with the ip_conntrack_ftp module loaded (and optinally ip_nat_ftp if you
> are doing NAT) there is _NO_ point in opening a lot of ports like this!
> you SHOULDN'T do this, it's unsecure!
>
> the state match has a few diffrent states you can match on and the
> interesting states here are NEW , ESTABLISHED, RELATED.
>
> NEW = first packet in the connection
> ESTABLISHED = the rest of the packets in the connection
> RELATED = the first packet of an ftp-data connection that's related to an
> existing ftp connection.
>
> so the first packet in an ftp-data connection is RELATED and if you allow
> that packet the rest are marked as ESTABLISHED.
>
> This is how you want it to work I believe.
>
> you have an AS-400 ftpserver behind a iptables firewall and you want
> people to be able to login and retreieve files?
> And you want both active and passive ftp to work? No problem at all.
>
> 1. allow packets marked as ESTABLISHED both to and from the AS-400.
>
> 2. allow packets marked as NEW from the AS-400 to the outside world
> (assuming you want to be able to connect to the outside world from it)
>
> 2. allow packets marked as RELATED both to and from the AS-400.
>
> 3. allow packets marked as NEW going to port 21 on the AS-400
>
>
> you can combine these things into three simple rules...
> (<AS400> is the ipadress of the machine)
>
> iptables -A FORWARD -s <AS400> -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
> iptables -A FORWARD -d <AS400> -m state --state ESTABLISHED,RELATED -j
ACCEPT
>
> iptables -A FORWARD -p tcp -d <AS400> --dport 21 -m state --state NEW -j
ACCEPT
>
> this will allow traffic according to rules #1,2,3,4 above.
>
> And if you have the ip_conntrack_ftp module loaded both active and
> passive ftp to/from the AS400 will work.
>
> /Martin
>
> Never argue with an idiot. They drag you down to their level, then beat
you with experience.
>