Linux IPTABLES Firewall + FTP + Directory Listing Error
Well, I have written my own firewall script, and it seems to work quite good. It is quit a good firewall, used all securtity scans against it, and it works like a charm. Exept one thing. When I try, from a client behind my firewall, to connect to a FTP server I usually get the following error:
Directory Listing Error...
Any solution ?
Here is my firewall script:
#!/bin/bash
IPTABLES="/sbin/iptables"
#Flush all tables
echo
echo -n "Loading ICARUS Firewall"
echo
echo -n "Copyright: Yves Gijbels under GP Licence"
echo
echo -n "Using: "
${IPTABLES} -V
echo
echo
echo -n "Flushing all rules ..........................
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
${IPTABLES} -X
${IPTABLES} -t nat -X
${IPTABLES} -t mangle -X
${IPTABLES} -t filter -X
echo "DONE"
echo
echo -n "Turn on IP Forwarding ..........................
echo 1 > /proc/sys/net/ipv4/ip_forw
echo -n "DONE"
echo
echo -n "Turn on DHCP Support ..........................
echo 1 > /proc/sys/net/ipv4/ip_dyna
echo -n "DONE"
echo
echo
echo -n "Opening ports 50021 50022 50080 ................ "
${IPTABLES} -A INPUT -p tcp --dport 50021 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50022 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50080 -j ACCEPT
echo -n "DONE"
echo
echo -n "Masquerade internal clients to the Internet .... "
${IPTABLES} -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -i eth1 -o eth0 -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo -n "DONE"
echo
echo
echo -n "Setting Default Policies ....................... "
${IPTABLES} -P INPUT DROP
${IPTABLES} -A INPUT -i eth1 -j ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
echo -n "DONE"
echo
echo
echo -n "Forwarding traffic to internal servers"
echo
echo -n "Forwarding VPN ..........................
${IPTABLES} -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to-destination 10.0.0.2:1723
${IPTABLES} -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.0.0.2
${IPTABLES} -A FORWARD -p tcp -i eth0 -d 10.0.0.2 --dport 1723 -j ACCEPT
echo -n "DONE"
echo
echo
echo -n "Enable Security ..........................
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
${IPTABLES} -A INPUT -i eth0 -p icmp -j DROP
${IPTABLES} -A INPUT -i eth0 -p udp --sport 137 --dport 137 -j DROP
echo -n "DONE"
echo
echo
echo -n "Done loading the firewall!"
echo
echo
Directory Listing Error...
Any solution ?
Here is my firewall script:
#!/bin/bash
IPTABLES="/sbin/iptables"
#Flush all tables
echo
echo -n "Loading ICARUS Firewall"
echo
echo -n "Copyright: Yves Gijbels under GP Licence"
echo
echo -n "Using: "
${IPTABLES} -V
echo
echo
echo -n "Flushing all rules ..........................
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
${IPTABLES} -X
${IPTABLES} -t nat -X
${IPTABLES} -t mangle -X
${IPTABLES} -t filter -X
echo "DONE"
echo
echo -n "Turn on IP Forwarding ..........................
echo 1 > /proc/sys/net/ipv4/ip_forw
echo -n "DONE"
echo
echo -n "Turn on DHCP Support ..........................
echo 1 > /proc/sys/net/ipv4/ip_dyna
echo -n "DONE"
echo
echo
echo -n "Opening ports 50021 50022 50080 ................ "
${IPTABLES} -A INPUT -p tcp --dport 50021 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50022 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 50080 -j ACCEPT
echo -n "DONE"
echo
echo -n "Masquerade internal clients to the Internet .... "
${IPTABLES} -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -i eth1 -o eth0 -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo -n "DONE"
echo
echo
echo -n "Setting Default Policies ....................... "
${IPTABLES} -P INPUT DROP
${IPTABLES} -A INPUT -i eth1 -j ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
echo -n "DONE"
echo
echo
echo -n "Forwarding traffic to internal servers"
echo
echo -n "Forwarding VPN ..........................
${IPTABLES} -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to-destination 10.0.0.2:1723
${IPTABLES} -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.0.0.2
${IPTABLES} -A FORWARD -p tcp -i eth0 -d 10.0.0.2 --dport 1723 -j ACCEPT
echo -n "DONE"
echo
echo
echo -n "Enable Security ..........................
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
${IPTABLES} -A INPUT -i eth0 -p icmp -j DROP
${IPTABLES} -A INPUT -i eth0 -p udp --sport 137 --dport 137 -j DROP
echo -n "DONE"
echo
echo
echo -n "Done loading the firewall!"
echo
echo
Clients behind a firewall almost always need to be using Passive mode. Are they?
ASKER
That's not an option because the FTP server where I'm connection to doesn't allow passive mode.
It seems you can connect to the ftp server through the control channel.
With active mode the remote server starts the connection from port 20.
# active FTP
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
If this doesn't work install iptraf and try to troubleshot. Try also to replace the first line with.
iptables -A INPUT -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
but it should work withouth doing this.
If I were you I would set up my default policy to DROP for the OUTPUT chain and in your security rules add one to deny broadcasts.
bye
With active mode the remote server starts the connection from port 20.
# active FTP
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
If this doesn't work install iptraf and try to troubleshot. Try also to replace the first line with.
iptables -A INPUT -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
but it should work withouth doing this.
If I were you I would set up my default policy to DROP for the OUTPUT chain and in your security rules add one to deny broadcasts.
bye
ASKER
So if I understand it correctly the following line: ${IPTABLES} -P OUTPUT ACCEPT changes to ${IPTABLES} -P OUTPUT DROP
and also I need to add the 2 following lines:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
How do I deny broadcasts with the IPTABLES ?
and also I need to add the 2 following lines:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
How do I deny broadcasts with the IPTABLES ?
For the broadcast, I just thought it was an interesting feature to add. For example if a machine in your network is flooding with bcast packets, your firewall will stop these, otherwise all the internet could reply your request and involve your LL to be saturated (actually the routers of your provider could deny these broadcast messages)
iptables -A FORWARD -d 255.0.0.0/8 -j DROP
iptables -A OUTPUT -d 255.0.0.0/8 -j DROP
could do it although there should be a more clever way to write the rule.
Be carefull, if you change ${IPTABLES} -P OUTPUT ACCEPT to ${IPTABLES} -P OUTPUT DROP you'll have to write all the rules for your packets to go out. But in general I don't do much things with my firewall (ssh, dns, vpn, maybe ftp or http).
Let me know if your ftp active mode works now.
iptables -A FORWARD -d 255.0.0.0/8 -j DROP
iptables -A OUTPUT -d 255.0.0.0/8 -j DROP
could do it although there should be a more clever way to write the rule.
Be carefull, if you change ${IPTABLES} -P OUTPUT ACCEPT to ${IPTABLES} -P OUTPUT DROP you'll have to write all the rules for your packets to go out. But in general I don't do much things with my firewall (ssh, dns, vpn, maybe ftp or http).
Let me know if your ftp active mode works now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Unfortunatly, adding the lines:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
doesn't seem to help.
This is the log of my FTP client:
[11:36:10] [R] SYST
[11:36:10] [R] 215 Windows_NT version 5.0
[11:36:10] [R] FEAT
[11:36:10] [R] 500 'FEAT': command not understood
[11:36:10] [R] PWD
[11:36:10] [R] 257 "/lasertronix" is current directory.
[11:36:10] [R] TYPE A
[11:36:10] [R] 200 Type set to A.
[11:36:10] [R] PORT 10,0,0,5,8,224
[11:36:10] [R] 500 Invalid PORT Command.
[11:36:10] [R] LIST -al
[11:36:10] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:33] [R] 425 Can't open data connection.
[11:36:33] [R] List Complete: 0 bytes in 22,98 seconds (0,0 KB/s)
[11:36:33] [R] PORT 10,0,0,5,8,225
[11:36:33] [R] 500 Invalid PORT Command.
[11:36:33] [R] LIST -al
[11:36:33] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:56] [R] 425 Can't open data connection.
[11:36:56] [R] List Complete: 0 bytes in 45,94 seconds (0,0 KB/s)
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
doesn't seem to help.
This is the log of my FTP client:
[11:36:10] [R] SYST
[11:36:10] [R] 215 Windows_NT version 5.0
[11:36:10] [R] FEAT
[11:36:10] [R] 500 'FEAT': command not understood
[11:36:10] [R] PWD
[11:36:10] [R] 257 "/lasertronix" is current directory.
[11:36:10] [R] TYPE A
[11:36:10] [R] 200 Type set to A.
[11:36:10] [R] PORT 10,0,0,5,8,224
[11:36:10] [R] 500 Invalid PORT Command.
[11:36:10] [R] LIST -al
[11:36:10] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:33] [R] 425 Can't open data connection.
[11:36:33] [R] List Complete: 0 bytes in 22,98 seconds (0,0 KB/s)
[11:36:33] [R] PORT 10,0,0,5,8,225
[11:36:33] [R] 500 Invalid PORT Command.
[11:36:33] [R] LIST -al
[11:36:33] [R] 150 Opening ASCII mode data connection for /bin/ls.
[11:36:56] [R] 425 Can't open data connection.
[11:36:56] [R] List Complete: 0 bytes in 45,94 seconds (0,0 KB/s)
Could you add these lines so the connexion tracking could be started.
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
Please install iptraf on your machine or something similar, it will help to see when does the problem happends exactly.
bye
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
Please install iptraf on your machine or something similar, it will help to see when does the problem happends exactly.
bye
The problem with an Active FTP session, and the reason that the "ESTABLISHED" rule doesn't help, lies in the requirements of an Active session. When a Client initiates an FTP session to an Active server it opens an outbound connection to the server's port 21. That's fine as far as a firewall is concerned. The problem is that any command that causes a transfer of data (ls, get, put) require that the server open a port from 20/TCP (on the server) some port in the 1024-65535 range on the client. Since this is an inbound connection that isn't part of an established connection it won't get through the firewall. Additionally, in the case of NAT'ed connections, the firewall won't know that inside machine the inbound connection is supposed to be NAT'ed to.
For a full discussion of Active vs Passive FTP see http://slacksite.com/other/ftp.html
For a full discussion of Active vs Passive FTP see http://slacksite.com/other/ftp.html
ASKER
Well I guessed that was the problem.
So it's a major security hole in my firewall in order to make the active connection work. They can't possibly want me to open all ports from 1024 to 65535. (Where is the use my firewall?)
Isn't there a workaround ?
So it's a major security hole in my firewall in order to make the active connection work. They can't possibly want me to open all ports from 1024 to 65535. (Where is the use my firewall?)
Isn't there a workaround ?
> They can't possibly want me to open all ports from 1024 to 65535. (Where is the use my firewall?)
Well, that's what's required for Active FTP to work. That, and NPAT, are why Passive mode was created.
> Isn't there a workaround ?
Use Passive mode.
Well, that's what's required for Active FTP to work. That, and NPAT, are why Passive mode was created.
> Isn't there a workaround ?
Use Passive mode.
ASKER
Hm, then I'll have to e-mail the hosting company....
Anyway tnx for the info.
Both answers of mikygee and jlevie deserve points. Can't I give them both an equal share ? :D
Anyway tnx for the info.
Both answers of mikygee and jlevie deserve points. Can't I give them both an equal share ? :D
I'd be really surprised to find that an FTP server at a hosting org didn't support Passive FTP. Have you tried a client in Passive mode?
ASKER
Yep, I even contacted the hosting compagny 10x for the same problem.
Every time the same answer: We'll check it out for you.
That's why I tried to resolve it myself. Now I guess I'll just have to find another much better hosting compagny.
So, DONT host your site with SCARLET (Belgium) hosting compagny.
Tnx for the advice... still dealing with the points issue :)
Every time the same answer: We'll check it out for you.
That's why I tried to resolve it myself. Now I guess I'll just have to find another much better hosting compagny.
So, DONT host your site with SCARLET (Belgium) hosting compagny.
Tnx for the advice... still dealing with the points issue :)