iptables 1.4 and passive FTP on custom port

Posted by Cracky on Server Fault See other posts from Server Fault or by Cracky
Published on 2013-06-30T02:01:07Z Indexed on 2013/06/30 4:22 UTC
Read the original article Hit count: 236

Filed under:
|
|
|
|

after the upgrade from debian squeeze to wheezy I've got a problem with passive FTP connection. I could narrow it to be iptables related, as I could connect via FTP w/o problems after adding my IP to the iptables ACCEPT rule. Before the upgrade I was able just to do

modprobe nf_conntract_ftp ports=21332

and adding

iptables -A THRU -p tcp --dport 21332 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

now..it doesn't help anymore. The INPUT rule is being triggered as I can see in the counter, but the directory listing is the last thing it does. Setting up a passive-port range is the last thing I want to do, I dislike open ports.

I also tried the trick with helper mod by adding following rule before the actual rule for 21332

iptables -A THRU -p tcp -i eth0 --dport 21332 -m state --state NEW -m helper --helper ftp-21332 -j ACCEPT

but it doesn't help and is even not being triggered according to counter. The rule in the next line (w/o helper) is being triggered..

here some info:

# iptables --version
iptables v1.4.14

# lsmod |grep nf_
nf_nat_ftp             12460  0
nf_nat                 18242  1 nf_nat_ftp
nf_conntrack_ftp       12605  1 nf_nat_ftp
nf_conntrack_ipv4      14078  32 nf_nat
nf_defrag_ipv4         12483  1 nf_conntrack_ipv4
nf_conntrack           52720  7     xt_state,nf_conntrack_ipv4,xt_conntrack,nf_conntrack_ftp,nf_nat,nf_nat_ftp,xt_helper

# uname -a
Linux loki 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux

# iptables-save
# Generated by iptables-save v1.4.14 on Sun Jun 30 03:54:28 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BLACKLIST - [0:0]
:LOGDROP - [0:0]
:SPAM - [0:0]
:THRU - [0:0]
:WEB - [0:0]
:fail2ban-dovecot-pop3imap - [0:0]
:fail2ban-pureftpd - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap
-A INPUT -p tcp -m multiport --dports 21,21332 -j fail2ban-pureftpd
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j BLACKLIST
-A INPUT -j THRU
-A INPUT -j LOGDROP
-A OUTPUT -j ACCEPT
-A OUTPUT -s 93.223.38.223/32 -j ACCEPT
-A BLACKLIST -s 38.113.165.0/24 -j LOGDROP
-A BLACKLIST -s 202.177.216.0/24 -j LOGDROP
-A BLACKLIST -s 130.117.190.0/24 -j LOGDROP
-A BLACKLIST -s 117.79.92.0/24 -j LOGDROP
-A BLACKLIST -s 72.47.228.0/24 -j LOGDROP
-A BLACKLIST -s 195.200.70.0/24 -j LOGDROP
-A BLACKLIST -s 195.200.71.0/24 -j LOGDROP
-A LOGDROP -m limit --limit 5/sec -j LOG --log-prefix drop_packet_ --log-level 7
-A LOGDROP -p tcp -m tcp --dport 25 -m limit --limit 2/sec -j LOG --log-prefix spam_blacklist --log-level 7
-A LOGDROP -p tcp -m tcp --dport 80 -m limit --limit 2/sec -j LOG --log-prefix web_blacklist --log-level 7
-A LOGDROP -p tcp -m tcp --dport 22 -m limit --limit 2/sec -j LOG --log-prefix ssh_blacklist --log-level 7
-A LOGDROP -j REJECT --reject-with icmp-host-prohibited
-A THRU -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A THRU -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 465 -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 585 -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 2008 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 10011 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 21332 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A THRU -i eth0 -p tcp -m tcp --dport 30033 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-A fail2ban-dovecot-pop3imap -j RETURN
-A fail2ban-dovecot-pop3imap -j RETURN
-A fail2ban-pureftpd -j RETURN
-A fail2ban-pureftpd -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Sun Jun 30 03:54:28 2013

So, as I said, I have no problems with connecting when adding my IP to go through..but that's not a solution as noone except me can connect anymore~ If someone got an idea what the problem is, please help me! Thanks

Cracky

© Server Fault or respective owner

Related posts about debian

Related posts about iptables