0

I have finished setting up my iptables, but the FTP login/connection does not work. the NAT/Firewall at the hardware/router level is forwarded correctly.

I have added an entry for ftp but it appears not to be working.

Q. Why are FTP connections not allowed here?

My current iptables config is:

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http limit: avg 25/min burst 100
ACCEPT     tcp  --  anywhere             cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:29292 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  cpc15-bmly9-2-0-custx.2-3.cable.virginm.net  anywhere            tcp spt:ftp dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  cpc15-bmly9-2-0-custx.2-3.cable.virginm.net  anywhere            tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  cpc15-bmly9-2-0-custx.2-3.cable.virginm.net  anywhere            tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:29292 state ESTABLISHED

UPDATE updated yet still not allowing connection

[root@host ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http limit: avg 25/min burst 100
ACCEPT     tcp  --  anywhere             cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:29292 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp ctstate ESTABLISHED /* Allow ftp connections on port 21 */
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data ctstate RELATED,ESTABLISHED /* Allow ftp connections on port 20 */
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 ctstate ESTABLISHED /* Allow passive inbound connections */

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  cpc15-bmly9-2-0-custx.2-3.cable.virginm.net  anywhere            tcp spt:ftp dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  cpc15-bmly9-2-0-custx.2-3.cable.virginm.net  anywhere            tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  cpc15-bmly9-2-0-custx.2-3.cable.virginm.net  anywhere            tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:29292 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp ctstate NEW,ESTABLISHED /* Allow ftp connections on port 21 */
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data ctstate ESTABLISHED /* Allow ftp connections on port 20 */
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 ctstate RELATED,ESTABLISHED /* Allow passive inbound connections */
Derple
  • 121
  • 7
  • for `conntrack` try adding `NEW` to `OUTPUT` chain on `filter` table for new `ftp` connections to be established, thinking its a handshake – gwillie Aug 04 '15 at 00:43
  • @user1036745 im hours old with iptables what does that look like please? – Derple Aug 04 '15 at 00:49
  • you dont need `NEW` as I mentioned above, thinking handshake but was wrong. however there are domain names in there, I'm sure iptables doesn't resolves domains, remove those rules and use ip addresses instead – gwillie Aug 04 '15 at 02:22
  • 1
    @user1036745 : Although you can't create firewall rules with hostnames and should always uses ip-address (ranges), iptables will convert ip-address by means of reverse lookup when displaying rule-sets (unless `-n` is used to prevent that). – HBruijn Aug 04 '15 at 08:17

1 Answers1

1

A number of general things:

  • The rule-set in an iptables firewall is traversed in order.
  • Simplified: iptables processing stops when a packet meets a rule that either grants or denies access.
  • You can configure iptables as a simple packetfilter, where each packet is inspected on it's own, or stateful firewall when connection information is taken into account.

Typically the very first rule in a statefull firewall configuration is one that allows allows packets from already established connections access. The idea is there that for the connection to have been established in the first place, it must have been allowed by an explicit rule further along and to repeat all subsequent checks is a complete waste of effort (iptables -L -v -n will display the following) : 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target  prot opt in  out   source       destination

1    2789K  866M ACCEPT  all  --   *   *    0.0.0.0/0    0.0.0.0/0    state RELATED,ESTABLISHED

The syntax to create it (another common notation to display iptables configurations) is:

 iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Although typically the iptables command itself is omitted.

Your configuration is missing this first rule.

Subsequent rules then only need to allow NEW connections for the protocols you want to allow, not both NEW and ACCEPTED as you have been:

ACCEPT tcp  --  anywhere  anywhere  tcp dpt:ssh state NEW,ESTABLISHED

but to allow SSH sufficient is:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Your FTP problem: FTP is an odd protocol in the regard that two connections are used. The first is the control connection, by default an FTP server will listen on TCP port 21 for that.
The control connection is used for authentication and issueing commands. The actual file transfers and things such as the output of a directory listing go over a second TCP connection, the DATA connection. In active FTP that DATA connection would be initiated from the fTP server from TCP port 20 and connect to the FTP client. Active FTP doesn't work too well with users behind firewalls and NAT gateways is has mostly fallen into disuse.
Most FTP servers suppport Passive FTP instead. With Passive FTP the FTP server opens a listener for the DATA connection on a second port, to which FTP client can then connect. The problem for a firewall is that the DATA port can be any available unprivileged port between 1024-65536.

In a stateless firewall that is typically resolved by restricting the number of passive ports that the FTP server may assign and then explicitly opening those ports. i.e restrict the passive range to ports 21000-21050 and:

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --match multiport --dports 21000:21050 -j ACCEPT

In a stateful firewall you do not need to explicitely open the DATA port, the netfilter helper module will recognise the dynamic port that gets assigned and dynamically open that port for the correct client by marking the DATA connection as RELATED after which it will match that generic first rule:

  iptables -I INPUT -p tcp -m state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

This requires that the correct kernel module is loaded, in the FTP case manually by running for instance insmod nf_conntrack_ftp, which you can make persistent by editing /etc/sysconfig/iptables-config and adding the helper module nf_conntrack_ftp to the IPTABLES_MODULES variable.

Note: The FTP connection tracking module will fail when FTP is used with SSL, as the control connection will be encrypted and the nf_conntrack_ftp won't be able to read the PASV repsonse anymore.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • I still tend to use `--state` rather than `--cstate` because I'm [old school](http://serverfault.com/q/358996/37681) – HBruijn Aug 04 '15 at 08:26