Solved

Linux IPTABLES Firewall + FTP + Directory Listing Error

Posted on 2004-08-12
16
1,117 Views
Last Modified: 2008-02-01
Well, I have written my own firewall script, and it seems to work quite good. It is quit a good firewall, used all securtity scans against it, and it works like a charm. Exept one thing. When I try, from a client behind my firewall, to connect to a FTP server I usually get the following error:
Directory Listing Error...
Any solution ?

Here is my firewall script:

#!/bin/bash

IPTABLES="/sbin/iptables"

#Flush all tables
echo
echo -n "Loading ICARUS Firewall"
echo
echo -n "Copyright: Yves Gijbels under GP Licence"
echo
echo -n "Using: "
${IPTABLES} -V
echo
echo
echo -n "Flushing all rules ............................. "
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
${IPTABLES} -X
${IPTABLES} -t nat -X
${IPTABLES} -t mangle -X
${IPTABLES} -t filter -X
echo "DONE"
echo

echo -n "Turn on IP Forwarding .......................... "
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -n "DONE"
echo

echo -n "Turn on DHCP Support ........................... "
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo -n "DONE"
echo
echo

echo -n "Opening ports 50021 50022 50080 ................ "
${IPTABLES} -A INPUT -p tcp --dport 50021 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50022 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50080 -j ACCEPT
echo -n "DONE"
echo

echo -n "Masquerade internal clients to the Internet .... "
${IPTABLES} -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -i eth1 -o eth0 -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo -n "DONE"
echo
echo

echo -n "Setting Default Policies ....................... "
${IPTABLES} -P INPUT DROP
${IPTABLES} -A INPUT -i eth1 -j ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
echo -n "DONE"
echo
echo

echo -n "Forwarding traffic to internal servers"
echo

echo -n "Forwarding VPN ................................. "
${IPTABLES} -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to-destination 10.0.0.2:1723
${IPTABLES} -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.0.0.2
${IPTABLES} -A FORWARD -p tcp -i eth0 -d 10.0.0.2 --dport 1723 -j ACCEPT
echo -n "DONE"
echo

echo
echo -n "Enable Security ................................ "
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
${IPTABLES} -A INPUT -i eth0 -p icmp -j DROP
${IPTABLES} -A INPUT -i eth0 -p udp --sport 137 --dport 137 -j DROP
echo -n "DONE"
echo

echo
echo -n "Done loading the firewall!"
echo
echo
0
Comment
Question by:xterminator
  • 6
  • 5
  • 3
16 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Clients behind a firewall almost always need to be using Passive mode. Are they?
0
 
LVL 1

Author Comment

by:xterminator
Comment Utility
That's not an option because the FTP server where I'm connection to doesn't allow passive mode.
0
 
LVL 2

Expert Comment

by:mikygee
Comment Utility
It seems you can connect to the ftp server through the control channel.
With active mode the remote server starts the connection from port 20.
# active FTP
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

If this doesn't work install iptraf and try to troubleshot. Try also to replace the first line with.
iptables -A INPUT -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
but it should work withouth doing this.

If I were you I would set up my default policy to DROP for the OUTPUT chain and in your security rules add one to deny broadcasts.

bye
0
 
LVL 1

Author Comment

by:xterminator
Comment Utility
So if I understand it correctly the following line: ${IPTABLES} -P OUTPUT ACCEPT changes to ${IPTABLES} -P OUTPUT DROP
and also I need to add the 2 following lines:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

How do I deny broadcasts with the IPTABLES ?
0
 
LVL 2

Expert Comment

by:mikygee
Comment Utility
For the broadcast, I just thought it was an interesting feature to add. For example if a machine in your network is flooding with bcast packets, your firewall will stop these, otherwise all the internet could reply your request and involve your LL to be saturated (actually the routers of your provider could deny these broadcast messages)
iptables -A FORWARD -d 255.0.0.0/8 -j DROP
iptables -A OUTPUT -d 255.0.0.0/8 -j DROP
could do it although there should be a more clever way to write the rule.

Be carefull, if you change ${IPTABLES} -P OUTPUT ACCEPT to ${IPTABLES} -P OUTPUT DROP you'll have to write all the rules for your packets to go out. But in general I don't do much things with my firewall (ssh, dns, vpn, maybe ftp or http).

Let me know if your ftp active mode works now.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 100 total points
Comment Utility
>  That's not an option because the FTP server where I'm connection to doesn't allow passive mode.

In which case you'll need to open for inbound connections all of the ephemeral ports (1024-65535/TCP). That's pretty much of a huge security hole and I wouldn't consider doing that. An alternative to opening up the entire firewalled network would be to designate a single Linux box as the FTP client and allow ephemeral port inbound only to that IP. I'd strip down that box to the bare minimum and make sure that it was always up to date w/respect to security advisories. Local users would log into that box via ssh and do the FTP transaction, copying files via scp to/from their local machine.

Of course the ideal solution is to get the remote FTP server upgraded to one that supports Passive connections.
0
 
LVL 1

Author Comment

by:xterminator
Comment Utility
Unfortunatly, adding the lines:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
doesn't seem to help.

This is the log of my FTP client:
[11:36:10] [R] SYST
[11:36:10] [R] 215 Windows_NT version 5.0
[11:36:10] [R] FEAT
[11:36:10] [R] 500 'FEAT': command not understood
[11:36:10] [R] PWD
[11:36:10] [R] 257 "/lasertronix" is current directory.
[11:36:10] [R] TYPE A
[11:36:10] [R] 200 Type set to A.
[11:36:10] [R] PORT 10,0,0,5,8,224
[11:36:10] [R] 500 Invalid PORT Command.
[11:36:10] [R] LIST -al
[11:36:10] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:33] [R] 425 Can't open data connection.
[11:36:33] [R] List Complete: 0 bytes in 22,98 seconds (0,0 KB/s)
[11:36:33] [R] PORT 10,0,0,5,8,225
[11:36:33] [R] 500 Invalid PORT Command.
[11:36:33] [R] LIST -al
[11:36:33] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:56] [R] 425 Can't open data connection.
[11:36:56] [R] List Complete: 0 bytes in 45,94 seconds (0,0 KB/s)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Expert Comment

by:mikygee
Comment Utility
Could you add these lines so the connexion tracking could be started.
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

Please install iptraf on your machine or something similar, it will help to see when does the problem happends exactly.

bye
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The problem with an Active FTP session, and the reason that the "ESTABLISHED" rule doesn't help, lies in the requirements of an Active session. When a Client initiates an FTP session to an Active server it opens an outbound connection to the server's port 21. That's fine as far as a firewall is concerned. The problem is that any command that causes a transfer of data (ls, get, put) require that the server open a port from 20/TCP (on the server) some port in the 1024-65535 range on the client. Since this is an inbound connection that isn't part of an established connection it won't get through the firewall. Additionally, in the case of NAT'ed connections, the firewall won't know that inside machine the inbound connection is supposed to be NAT'ed to.

For a full discussion of Active vs Passive FTP see http://slacksite.com/other/ftp.html
0
 
LVL 1

Author Comment

by:xterminator
Comment Utility
Well I guessed that was the problem.
So it's a major security hole in my firewall in order to make the active connection work. They can't possibly want me to open all ports from 1024 to 65535. (Where is the use my firewall?)
Isn't there a workaround ?
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
> They can't possibly want me to open all ports from 1024 to 65535. (Where is the use my firewall?)

Well, that's what's required for Active FTP to work. That, and NPAT, are why Passive mode was created.

> Isn't there a workaround ?

Use Passive mode.
0
 
LVL 1

Author Comment

by:xterminator
Comment Utility
Hm, then I'll have to e-mail the hosting company....
Anyway tnx for the info.

Both answers of mikygee and jlevie  deserve points. Can't I give them both an equal share ? :D
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I'd be really surprised to find that an FTP server at a hosting org didn't support Passive FTP. Have you tried a client in Passive mode?
0
 
LVL 1

Author Comment

by:xterminator
Comment Utility
Yep, I even contacted the hosting compagny 10x for the same problem.
Every time the same answer: We'll check it out for you.
That's why I tried to resolve it myself. Now I guess I'll just have to find another much better hosting compagny.
So, DONT host your site with SCARLET (Belgium) hosting compagny.

Tnx for the advice... still dealing with the points issue :)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now