-------- Original Message --------
Subject: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)
Date: Fri, 05 Oct 2007 12:17:42 +0530
From: Mohan Sundaram <smohan@vsnl.com>
Reply-To: smohan@vsnl.com
To: Indunil Jayasooriya <indunil75@gmail.com>
References: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com>
Indunil Jayasooriya wrote:> Hi all,
>
> I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as
> passive ftp.
>
> the theroy behind passive ftp is ,
>
> * FTP server''s port 21 from anywhere ( Client initiates
connection)
> * FTP server''s port 21 to ports > 1024 (Server responds to
client''s
> control port)
> * FTP server''s ports > 1024 from anywhere (Client initiates
data
> connection to random port specified by server)
> * FTP server''s ports > 1024 to remote ports > 1024
(Server sends
> ACKs (and data) to client''s data port)
>
>
>
> Then, How can I write DNAT rules.
>
> pls assume 1.2.3.4 <http://1.2.3.4> is the ip of the internert
interface.
>
> #DNAT from Internet to the box running VSFTP @ 192.168.100.3
> <http://192.168.100.3>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4
<http://1.2.3.4>
> --dport 21 -j DNAT --to-destination 192.168.100.3:21
> <http://192.168.100.3:21>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4
<http://1.2.3.4>
> --dport 1024: -j DNAT --to-destination 192.168.100.3
<http://192.168.100.3>
>
> And also
> #connect to below ip (actual destination ip) with below ports,due to
> DNATing
> iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3>
> --dport 21 -m state --state NEW -j ACCEPT
> iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3>
> --dport 1024: -m state --state NEW -j ACCEPT
>
>
> R u okay with the above 4 rules ?
>
> If WRONG, pls write down your rules. I am going to put this vsftp server
> in to PRODUCTION USE.
>
>
> Pls also make sure , my firewall has below rules such as DROP,
> ESTABLISHED,RELATED.
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> YOUR comments.
>
>
> --
> Thank you
> Indunil Jayasooriya
If you want to run apps with different ports for control and data, you
need to run ALG or Connection tracking helper ip_conntrack_ftp.
Extracted from
http://www.kalamazoolinux.org/presentations/20010417/conntrack.html
Connection tracking and ftp
Firstly, you need to load the ip_conntrack_ftp module.
Assuming you have a single-homed box, a simple ruleset to allow an ftp
connection would be:
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
(Please note, I am assuming here you have a separate ruleset to allow
any icmp RELATED to the conection. Please see my example ruleset for this).
This is not the whole story. An ftp connection also needs a
data-channel, which can be provided in one of two ways:
1) Active ftp
The ftp client sends a port number over the ftp channel via a PORT
command to the ftp server. The ftp server then connects from port 20 to
this port to send data, such as a file, or the output from an ls
command. The ftp-data connection is in the opposite sense from the
original ftp connection.
To allow active ftp without knowing the port number that has been passed
we need a general rule which allows connections from port 20 on remote
ftp servers to high ports (port numbers > 1023) on ftp clients. This is
simply too general to ever be secure.
Enter the ip_conntrack_ftp module. This module is able to recognize the
PORT command and pick-out the port number. As such, the ftp-data
connection can be classified as RELATED to the original outgoing
connection to port 21 so we don''t need NEW as a state match for the
connection in the INPUT chain. The following rules will serve our
purposes grandly:
iptables -A INPUT -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
2) Passive ftp
A PORT command is again issued, but this time it is from the server to
the client. The client connects to the server for data transfer. Since
the connection is in the same sense as the original ftp connection,
passive ftp is inherently more secure than active ftp, but note that
this time we know even less about the port numbers. Now we have a
connection between almost arbitrary port numbers.
Enter the ip_conntrack_ftp module once more. Again, this module is able
to recognize the PORT command and pick-out the port number. Instead of
NEW in the state match for the OUTPUT chain, we can use RELATED. The
following rules will suffice:
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state
--state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT
Mohan
