Ask Your Question
0

I need ftp iptables help

asked 2018-08-22 18:43:09 -0600

toddandmargo gravatar image

Hi All,

I am trying to port my iptables over from RHEL. iptables ins not tracking the high ports used with ftp. This use to be done by "ipconntrackftp". "ipnatftp " and "ipconntrackftp" insert without error, but do not show when your modprobe them.

# modprobe ip_nat_ftp 
# modprobe ip_conntrack_ftp 
# lsmod | grep ip_conntrack_ftp
<nothing>
# lsmod | grep ip_nat_ftp
<nothing>

What am I missing?

Many thanks, -T

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-08-24 23:01:37 -0600

toddandmargo gravatar image

Figured it out. I am posting my notes here so that Google catches them and maybe someone else's day won't be ruined trying to figure this out:

How to track ftp's high port with Fedora and iptables:

Problem: iptables will not automatically track ftp's high ports (firewalld will).

Note: RHEL used ipconntrackftp, and ipnatftp

These have been superseded by nfconntrackftp nfconntracktftp nfnatftp nfnattftp

To set up ftp high port tracking.

1) in /etc/sysconfig/iptables-config add (under this first erase add)

 IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp nf_nat_tftp"

2) nfconntrackftp is disabled by default. To enable it: # echo 1 > /proc/sys/net/netfilter/nfconntrackhelper

3) in /etc/modprobe.d/iptables.conf add

 nf_conntrack_ftp ports=21

4) restart iptables # systemctl restart iptables

Note: you also have to reload your firewall rules after this too.

5) to check modules

 # lsmod | grep ftp

Notes: filters are part of the kernal and are located in /lib/modules/uname -r/kernel/net/netfilter to use them, remove the ".ko.xz"

manual filter adds (disappear after a reboot): # modprobe nfconntrackftp # modprobe nfconntracktftp # modprobe nfnatftp # modprobe nfnattftp

Sample passive and active ftp rules:

tbls=/sbin/iptables

if [ "$(cat /proc/sys/net/netfilter/nfconntrackhelper)" == "0" ]; then echo "echo 1 > /proc/sys/net/netfilter/nfconntrackhelper" echo 1 > /proc/sys/net/netfilter/nfconntrackhelper fi

Active:

$tbls -A dsl-out -o $eth1 -p tcp -s $eth1addr --sport $allports --dport ftp-data -m state --state ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp --sport ftp-data -d $eth1addr --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp --sport ftp-data -d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT

Passive:

$tbls -A dsl-out -o $eth1 -p tcp -s $eth1addr --sport $unassgn --dport ftp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp ! --syn --sport ftp -d $eth1addr --dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp ! --syn --sport ftp -d $internalnet --dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-out -o $eth1 -p tcp -s $eth1addr -d $ANYIP -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp ! --syn -s $ANYIP -d $eth1addr -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp ! --syn -s $ANYIP -d $internal_net -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

edit flag offensive delete link more

Question Tools

Stats

Asked: 2018-08-22 18:43:09 -0600

Seen: 146 times

Last updated: Aug 24 '18