FTP and Firewall difficulties (SEC: UNCLASSIFIED)

Kim Holburn kim.holburn at anu.edu.au
Fri Jul 19 13:25:04 EST 2002

At 8:49 AM +1000 02/7/19, Lisman, FLGOFF Jarrad wrote:
>HI, I am trying to set up a firewall on mandrake 8.2 using iptables. I have
>a whole bunch of private systems that I am doing SNATing on through the
>firewall for the 6 IP addresses that I have. I have no servers on the inside
>so I blocked all incoming traffic initially, I soon discovered that of
>course an active ftp transfer will not work. I then allowed the control port
>to be forwarded (20) but this caused an issue in that because it is SNATing
>the firewall does not know where to send the connection initiated by the ftp
>server I am trying to reach. I thought maybe that the module
>ip_conntrack_ftp would fix this but after insmoding it, it appears to not do
>much at all.

You have to use the "RELATED" rule to get it to work:
$IPTABLES -t filter -A fw_tcp_in -m state --state ESTABLISHED,RELATED -j ACCEPT

>I then changed the SNATing to only do one address instead of
>the 6 I have and I seem to kind of get through to the server except for an
>illegal port command error that pops up everytime I try to access something.
>I also noted that before I changed from the 6 IP's to the 1 that at one
>particular site I was getting an auth (port113) request dropped.
>My config is as follows
>iptables -t nat -A SOURCE -j SNAT --to-source $IPMIN-$IPMAX
>(Where IPMin and max is my IP range)
>or iptables -t nat -A SOURCE -j SNAT --to-source $MYIP
>(Where myip is the selected ip)
>iptables -A OUTFORWARD -p tcp --sport 20 --dport $UNPRIVPORTS -j ACCEPT
>Can anyone see where my problem is and does anyone know what auth is and
>what it has to do with my ftping>

The best way to handle auth/ident is to use the firewall to reject ident probes from outside.  If you drop them some things don't work or are really slow.
Here's one way to do this:

## Don't drop ident, reject otherwise it slows connections
$IPTABLES -A fw_tcp_in -p tcp --dport 113 -j REJECT --reject-with tcp-reset


Kim Holburn  Network Consultant  Ph: +61 2 61258620 M: +61 0417820641
Email: kim.holburn at anu.edu.au - PGP Public Key on request

Life is complex - It has real and imaginary parts.
     Andrea Leistra (rec.arts.sf.written.Robert-jordan)

More information about the linux mailing list