FTP server firewall rules

Bob Surenko surenko@fred.net
Tue, 12 Mar 2002 16:00:49 -0500 

On Tue, 12 Mar 2002 21:20:05 +0100
"Joffer" <joffer@online.no> wrote:

> for somehow this msg just wouldn't add '>' to the text so I'll be answering
> here instead, so I won't confuse myself or you ppl.
> 
> I considder Active FTP a security threat, since it involves opening tcp port
> 20 inbound on the firewall, since the ftp-server is initiating the
> connection for the ftp-data.

That's OK if you have a small network ( or you have a lot of political
control over a large one!) Me... I must support active ftp.

That's why I moved to iptables, for RELATED.



> 
> I recommend you read this document about Active FTP Vs Passive FTP, and use
> Passive FTP.
> http://www.slacksite.com/other/ftp.html
> 
> If you trail that document opening (and closing everything else) you should
> fix it just fine.
> 
> /Christopher Thorjussen
> 
> 
> ----- Original Message -----
> From: "Matt Cooling" <Matt.Cooling@boxingorange.com>
> To: <netfilter@lists.samba.org>
> Sent: Tuesday, March 12, 2002 5:23 PM
> Subject: FTP server firewall rules
> 
> 
> I'm running a webserver, which I have secured with iptables as follows:
> 
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     tcp  --  <internal gateway>   anywhere           tcp dpt:ssh
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
> ACCEPT     udp  --  <dns server>         anywhere           udp
> spt:domain
> 
> I now want to give FTP access to specific IP addresses for uploading
> content. I started using the following rules:
> 
> iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j ACCEPT
> iptables -A INPUT -p tcp -s <ftp client> --dport ftp-data -j ACCEPT
> 
> which allows ACTIVE FTP to work properly. However, I also want to allow
> PASSIVE FTP, which I assumed would require the following rule:
> 
> iptables -A INPUT -p tcp -s <ftp client> -m state --state RELATED -j
> ACCEPT
> 
> Unfortunately this doesn't seem to work. I've checked that the module is
> loaded:
> 
> [root@testbox root]# cat /proc/modules
> ip_conntrack_ftp        4096   0 (unused)
> ipt_state               1152   1 (autoclean)
> ip_conntrack           17068   2 (autoclean) [ip_conntrack_ftp
> ipt_state]
> ...
> iptable_filter          2272   0 (autoclean) (unused)
> ip_tables              11424   2 [ipt_state iptable_filter]
> ...
> 
> I've reviewed some articles on the Intenet; however, these are generally
> oriented to protecting a box. Have I missed something basic, or should
> this work?
> 
> Thanks in advance,
> 
> Matt
> 
> 
> 
> 
> 
>