| View previous topic :: View next topic |
| Author |
Message |
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
 Posted: Wed Jul 07, 2004 4:42 pm Post subject: Proftp and iptables [solved] |
 |
|
I have proftp running on a server at the company I work for.. I had this problem that I could
connect from the inside network but not from the outside (internet)
I solved this problem finaly by adding this line to /etc/proftpd/proftpd.conf
| Code: |
MasqueradeAddress 123.123.123.123
|
where the IP is the external (ADSL) IP-address.
To make sure my the problem was not in the firewall I configured iptables, running on
the FTP-server, to accept everything from my own private IP-address at home (from
where I was testing)
Now ProFTP works fine I have a second problem. If I disable the "accept everything from
my own IP-address" option in iptables, nothing works anymore. Port 21 is open.
It seems that ProFTP/GFTP uses port 45429 somehow. Does this sound familiar to someone?
How can I configure iptables to make sure the FTP traffic is accepted without opening too
much.
I already have this in the INPUT and the FORWARD chain
| Code: |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
Here is the netstat output while a FTP connection is established.
| Code: |
mail root # netstat -ant | grep 81.68.215.80
tcp 0 0 10.0.0.150:22 81.68.215.80:33452 ESTABLISHED
tcp 0 0 10.0.0.150:45429 81.68.215.80:33620 TIME_WAIT
tcp 0 48 10.0.0.150:22 81.68.215.80:33403 ESTABLISHED
tcp 0 0 10.0.0.150:21 81.68.215.80:33619 ESTABLISHED
|
81.68.215.80 is my own, private, IP-address at home
Thanks 
Last edited by mariourk on Thu Jul 08, 2004 3:56 pm; edited 1 time in total |
|
| Back to top |
|
 |
db_404
Guru
Joined: 05 Dec 2002
Posts: 336
|
| Posted: Wed Jul 07, 2004 5:25 pm Post subject: |
|
|
Do you have ip_contrack_ftp loaded?
an (edited) lsmod for my firewall looks like:
| Code: |
Module Size Used by Not tainted
ipt_REJECT 3160 1 (autoclean)
ipt_state 504 3 (autoclean)
ipt_MASQUERADE 1304 1 (autoclean)
ipt_LOG 3320 1 (autoclean)
ipt_limit 824 1 (autoclean)
iptable_filter 1644 1 (autoclean)
ip_nat_ftp 2640 0 (unused)
iptable_nat 15342 2 [ipt_MASQUERADE ip_nat_ftp]
ip_tables 12256 9 [ipt_REJECT ipt_state ipt_MASQUERADE ipt_LOG ipt_limit iptable_filter iptable_nat]
ip_conntrack_ftp 3824 1
ip_conntrack 19332 1 [ipt_state ipt_MASQUERADE ip_nat_ftp iptable_nat ip_conntrack_ftp]
|
Without ip_conntrack_ftp 'established' can't work for ftp as it has that strange data/command port thing going on (the data port being negotiated as part of the application protocol). |
|
| Back to top |
|
|
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
| Posted: Wed Jul 07, 2004 5:49 pm Post subject: |
|
|
Witch option in the kernel I have to enable for that?
I can't find it  |
|
| Back to top |
|
|
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
| Posted: Thu Jul 08, 2004 7:07 am Post subject: |
|
|
I have both:
Device Drivers --> Networking support --> Networking options --> Network packet filtering --
--> IP: Netfilter Configuration --> FTP protocol support & TFTP protocol support
enabled in my kernel. Looking at the help of these options I think these should be the ones.
However, it still doens't work 
When I disable "passive mode" in GFTP it does work. But I can't explain that to all our clients
who want to upload files to us. So I really want this to work 100% fool-proof 
Anyone? |
|
| Back to top |
|
|
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
| Posted: Thu Jul 08, 2004 9:04 am Post subject: |
|
|
I did some more digging. It seems it has something to do with passive ports.
So I added the following line to /etc/proftpd/proftpd.conf
| Code: |
PassivePorts 6000 6015
|
I also openened these ports in INPUT and the FOWARD chain of iptables (both
just to be certain. After everything works I can always check witch one is one and
witch one is not) But still noting.
Strange thing is that GFTP doesn't seem to use ports 6000 - 6015 at all
Instead of that I see:
| Code: |
227 Entering Passive Mode (123,123,123,123,23,121)
|
I guess that 23,121 means port 23121 is used. Not port 6000 - 6015 |
|
| Back to top |
|
|
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
| Posted: Thu Jul 08, 2004 9:44 am Post subject: |
|
|
It seems that 23,121 is not port 23121 but port 6009.
| Code: |
23 x 256 = 5888
5888 + 121 = 6009
|
Don't ask me, I found this formula on the internet. No idea what it means.
So GFTP uses the correct ports for passive mode. But still no succes |
|
| Back to top |
|
|
db_404
Guru
Joined: 05 Dec 2002
Posts: 336
|
| Posted: Thu Jul 08, 2004 3:49 pm Post subject: |
|
|
Are the ftp connection tracking modules built into the kernel? - if they are built as modules I have to modprobe them manually as they don't get loaded when the firewall comes up.
I have
| Code: |
echo "Adding ftp contrac"
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
|
in one of my startup scripts. |
|
| Back to top |
|
|
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
| Posted: Thu Jul 08, 2004 3:55 pm Post subject: |
|
|
Ok, I have it working now 
Here is how I did it.
Fist of all I added the following lines to /etc/proftpd/proftpd.conf
| Code: |
PassivePorts 6000 6015
MasqueradeAddress 123.123.123.123
|
MasqueradeAddress is the external, ADSL, IP-address. You also need to open the PassivePorts
with iptables.
| Code: |
iptables -A INPUT -p tcp -m multiport --dports 6000,6001,6003 -j ACCEPT
|
After --dports you have to set all the PassivePorts you want to use.
Now the FTP-server can be connected trom the outside. Problem is that it is no
longer possible to connect the FTP-server, in passive mode, from the inside network.
We can solve this with iptables.
| Code: |
iptables -t nat -A PREROUTING -A -i eth0 -p tcp -m multiport --dports 6000,6001 -j DNAT --to-destination 192.168.1.1
|
where eth0 is the interface that is connected to you internal network (in this case it has
the 192.168.0.0/24 range)
Now everything should work fine |
|
| Back to top |
|
|
|
Networking & Security
