WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Linux IPTABLES Firewall + FTP + Directory Listing Error
Posted on 2004-08-12
Well, I have written my own firewall script, and it seems to work quite good. It is quit a good firewall, used all securtity scans against it, and it works like a charm. Exept one thing. When I try, from a client behind my firewall, to connect to a FTP server I usually get the following error:
Directory Listing Error...
Any solution ?
Here is my firewall script:
#!/bin/bash
IPTABLES="/sbin/iptables"
#Flush all tables
echo
echo -n "Loading ICARUS Firewall"
echo
echo -n "Copyright: Yves Gijbels under GP Licence"
echo
echo -n "Using: "
${IPTABLES} -V
echo
echo
echo -n "Flushing all rules ..........................
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
${IPTABLES} -X
${IPTABLES} -t nat -X
${IPTABLES} -t mangle -X
${IPTABLES} -t filter -X
echo "DONE"
echo
echo -n "Turn on IP Forwarding ..........................
echo 1 > /proc/sys/net/ipv4/ip_forw
echo -n "DONE"
echo
echo -n "Turn on DHCP Support ..........................
echo 1 > /proc/sys/net/ipv4/ip_dyna
echo -n "DONE"
echo
echo
echo -n "Opening ports 50021 50022 50080 ................ "
${IPTABLES} -A INPUT -p tcp --dport 50021 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50022 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50080 -j ACCEPT
echo -n "DONE"
echo
echo -n "Masquerade internal clients to the Internet .... "
${IPTABLES} -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -i eth1 -o eth0 -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo -n "DONE"
echo
echo
echo -n "Setting Default Policies ....................... "
${IPTABLES} -P INPUT DROP
${IPTABLES} -A INPUT -i eth1 -j ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
echo -n "DONE"
echo
echo
echo -n "Forwarding traffic to internal servers"
echo
echo -n "Forwarding VPN ..........................
${IPTABLES} -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to-destination 10.0.0.2:1723
${IPTABLES} -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.0.0.2
${IPTABLES} -A FORWARD -p tcp -i eth0 -d 10.0.0.2 --dport 1723 -j ACCEPT
echo -n "DONE"
echo
echo
echo -n "Enable Security ..........................
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
${IPTABLES} -A INPUT -i eth0 -p icmp -j DROP
${IPTABLES} -A INPUT -i eth0 -p udp --sport 137 --dport 137 -j DROP
echo -n "DONE"
echo
echo
echo -n "Done loading the firewall!"
echo
echo
Directory Listing Error...
Any solution ?
Here is my firewall script:
#!/bin/bash
IPTABLES="/sbin/iptables"
#Flush all tables
echo
echo -n "Loading ICARUS Firewall"
echo
echo -n "Copyright: Yves Gijbels under GP Licence"
echo
echo -n "Using: "
${IPTABLES} -V
echo
echo
echo -n "Flushing all rules ..........................
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
${IPTABLES} -X
${IPTABLES} -t nat -X
${IPTABLES} -t mangle -X
${IPTABLES} -t filter -X
echo "DONE"
echo
echo -n "Turn on IP Forwarding ..........................
echo 1 > /proc/sys/net/ipv4/ip_forw
echo -n "DONE"
echo
echo -n "Turn on DHCP Support ..........................
echo 1 > /proc/sys/net/ipv4/ip_dyna
echo -n "DONE"
echo
echo
echo -n "Opening ports 50021 50022 50080 ................ "
${IPTABLES} -A INPUT -p tcp --dport 50021 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50022 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50080 -j ACCEPT
echo -n "DONE"
echo
echo -n "Masquerade internal clients to the Internet .... "
${IPTABLES} -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -i eth1 -o eth0 -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo -n "DONE"
echo
echo
echo -n "Setting Default Policies ....................... "
${IPTABLES} -P INPUT DROP
${IPTABLES} -A INPUT -i eth1 -j ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
echo -n "DONE"
echo
echo
echo -n "Forwarding traffic to internal servers"
echo
echo -n "Forwarding VPN ..........................
${IPTABLES} -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to-destination 10.0.0.2:1723
${IPTABLES} -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.0.0.2
${IPTABLES} -A FORWARD -p tcp -i eth0 -d 10.0.0.2 --dport 1723 -j ACCEPT
echo -n "DONE"
echo
echo
echo -n "Enable Security ..........................
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
${IPTABLES} -A INPUT -i eth0 -p icmp -j DROP
${IPTABLES} -A INPUT -i eth0 -p udp --sport 137 --dport 137 -j DROP
echo -n "DONE"
echo
echo
echo -n "Done loading the firewall!"
echo
echo
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
6
-
5
-
3
16 Comments
It seems you can connect to the ftp server through the control channel.
With active mode the remote server starts the connection from port 20.
# active FTP
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
If this doesn't work install iptraf and try to troubleshot. Try also to replace the first line with.
iptables -A INPUT -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
but it should work withouth doing this.
If I were you I would set up my default policy to DROP for the OUTPUT chain and in your security rules add one to deny broadcasts.
bye
With active mode the remote server starts the connection from port 20.
# active FTP
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
If this doesn't work install iptraf and try to troubleshot. Try also to replace the first line with.
iptables -A INPUT -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
but it should work withouth doing this.
If I were you I would set up my default policy to DROP for the OUTPUT chain and in your security rules add one to deny broadcasts.
bye
So if I understand it correctly the following line: ${IPTABLES} -P OUTPUT ACCEPT changes to ${IPTABLES} -P OUTPUT DROP
and also I need to add the 2 following lines:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
How do I deny broadcasts with the IPTABLES ?
and also I need to add the 2 following lines:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
How do I deny broadcasts with the IPTABLES ?
For the broadcast, I just thought it was an interesting feature to add. For example if a machine in your network is flooding with bcast packets, your firewall will stop these, otherwise all the internet could reply your request and involve your LL to be saturated (actually the routers of your provider could deny these broadcast messages)
iptables -A FORWARD -d 255.0.0.0/8 -j DROP
iptables -A OUTPUT -d 255.0.0.0/8 -j DROP
could do it although there should be a more clever way to write the rule.
Be carefull, if you change ${IPTABLES} -P OUTPUT ACCEPT to ${IPTABLES} -P OUTPUT DROP you'll have to write all the rules for your packets to go out. But in general I don't do much things with my firewall (ssh, dns, vpn, maybe ftp or http).
Let me know if your ftp active mode works now.
iptables -A FORWARD -d 255.0.0.0/8 -j DROP
iptables -A OUTPUT -d 255.0.0.0/8 -j DROP
could do it although there should be a more clever way to write the rule.
Be carefull, if you change ${IPTABLES} -P OUTPUT ACCEPT to ${IPTABLES} -P OUTPUT DROP you'll have to write all the rules for your packets to go out. But in general I don't do much things with my firewall (ssh, dns, vpn, maybe ftp or http).
Let me know if your ftp active mode works now.
> That's not an option because the FTP server where I'm connection to doesn't allow passive mode.
In which case you'll need to open for inbound connections all of the ephemeral ports (1024-65535/TCP). That's pretty much of a huge security hole and I wouldn't consider doing that. An alternative to opening up the entire firewalled network would be to designate a single Linux box as the FTP client and allow ephemeral port inbound only to that IP. I'd strip down that box to the bare minimum and make sure that it was always up to date w/respect to security advisories. Local users would log into that box via ssh and do the FTP transaction, copying files via scp to/from their local machine.
Of course the ideal solution is to get the remote FTP server upgraded to one that supports Passive connections.
In which case you'll need to open for inbound connections all of the ephemeral ports (1024-65535/TCP). That's pretty much of a huge security hole and I wouldn't consider doing that. An alternative to opening up the entire firewalled network would be to designate a single Linux box as the FTP client and allow ephemeral port inbound only to that IP. I'd strip down that box to the bare minimum and make sure that it was always up to date w/respect to security advisories. Local users would log into that box via ssh and do the FTP transaction, copying files via scp to/from their local machine.
Of course the ideal solution is to get the remote FTP server upgraded to one that supports Passive connections.
Unfortunatly, adding the lines:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
doesn't seem to help.
This is the log of my FTP client:
[11:36:10] [R] SYST
[11:36:10] [R] 215 Windows_NT version 5.0
[11:36:10] [R] FEAT
[11:36:10] [R] 500 'FEAT': command not understood
[11:36:10] [R] PWD
[11:36:10] [R] 257 "/lasertronix" is current directory.
[11:36:10] [R] TYPE A
[11:36:10] [R] 200 Type set to A.
[11:36:10] [R] PORT 10,0,0,5,8,224
[11:36:10] [R] 500 Invalid PORT Command.
[11:36:10] [R] LIST -al
[11:36:10] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:33] [R] 425 Can't open data connection.
[11:36:33] [R] List Complete: 0 bytes in 22,98 seconds (0,0 KB/s)
[11:36:33] [R] PORT 10,0,0,5,8,225
[11:36:33] [R] 500 Invalid PORT Command.
[11:36:33] [R] LIST -al
[11:36:33] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:56] [R] 425 Can't open data connection.
[11:36:56] [R] List Complete: 0 bytes in 45,94 seconds (0,0 KB/s)
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
doesn't seem to help.
This is the log of my FTP client:
[11:36:10] [R] SYST
[11:36:10] [R] 215 Windows_NT version 5.0
[11:36:10] [R] FEAT
[11:36:10] [R] 500 'FEAT': command not understood
[11:36:10] [R] PWD
[11:36:10] [R] 257 "/lasertronix" is current directory.
[11:36:10] [R] TYPE A
[11:36:10] [R] 200 Type set to A.
[11:36:10] [R] PORT 10,0,0,5,8,224
[11:36:10] [R] 500 Invalid PORT Command.
[11:36:10] [R] LIST -al
[11:36:10] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:33] [R] 425 Can't open data connection.
[11:36:33] [R] List Complete: 0 bytes in 22,98 seconds (0,0 KB/s)
[11:36:33] [R] PORT 10,0,0,5,8,225
[11:36:33] [R] 500 Invalid PORT Command.
[11:36:33] [R] LIST -al
[11:36:33] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:56] [R] 425 Can't open data connection.
[11:36:56] [R] List Complete: 0 bytes in 45,94 seconds (0,0 KB/s)
Could you add these lines so the connexion tracking could be started.
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
Please install iptraf on your machine or something similar, it will help to see when does the problem happends exactly.
bye
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
Please install iptraf on your machine or something similar, it will help to see when does the problem happends exactly.
bye
The problem with an Active FTP session, and the reason that the "ESTABLISHED" rule doesn't help, lies in the requirements of an Active session. When a Client initiates an FTP session to an Active server it opens an outbound connection to the server's port 21. That's fine as far as a firewall is concerned. The problem is that any command that causes a transfer of data (ls, get, put) require that the server open a port from 20/TCP (on the server) some port in the 1024-65535 range on the client. Since this is an inbound connection that isn't part of an established connection it won't get through the firewall. Additionally, in the case of NAT'ed connections, the firewall won't know that inside machine the inbound connection is supposed to be NAT'ed to.
For a full discussion of Active vs Passive FTP see http://slacksite.com/other/ftp.html
For a full discussion of Active vs Passive FTP see http://slacksite.com/other/ftp.html
Well I guessed that was the problem.
So it's a major security hole in my firewall in order to make the active connection work. They can't possibly want me to open all ports from 1024 to 65535. (Where is the use my firewall?)
Isn't there a workaround ?
So it's a major security hole in my firewall in order to make the active connection work. They can't possibly want me to open all ports from 1024 to 65535. (Where is the use my firewall?)
Isn't there a workaround ?
> They can't possibly want me to open all ports from 1024 to 65535. (Where is the use my firewall?)
Well, that's what's required for Active FTP to work. That, and NPAT, are why Passive mode was created.
> Isn't there a workaround ?
Use Passive mode.
Well, that's what's required for Active FTP to work. That, and NPAT, are why Passive mode was created.
> Isn't there a workaround ?
Use Passive mode.
Hm, then I'll have to e-mail the hosting company....
Anyway tnx for the info.
Both answers of mikygee and jlevie deserve points. Can't I give them both an equal share ? :D
Anyway tnx for the info.
Both answers of mikygee and jlevie deserve points. Can't I give them both an equal share ? :D
I'd be really surprised to find that an FTP server at a hosting org didn't support Passive FTP. Have you tried a client in Passive mode?
Yep, I even contacted the hosting compagny 10x for the same problem.
Every time the same answer: We'll check it out for you.
That's why I tried to resolve it myself. Now I guess I'll just have to find another much better hosting compagny.
So, DONT host your site with SCARLET (Belgium) hosting compagny.
Tnx for the advice... still dealing with the points issue :)
Every time the same answer: We'll check it out for you.
That's why I tried to resolve it myself. Now I guess I'll just have to find another much better hosting compagny.
So, DONT host your site with SCARLET (Belgium) hosting compagny.
Tnx for the advice... still dealing with the points issue :)
Featured Post
Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.
IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable.
1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month6 days, 14 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.