?
Solved

ftp data over openvpn

Posted on 2009-12-18
11
Medium Priority
?
1,551 Views
Last Modified: 2013-12-09
I am having issues with the Windows ftp client over openvpn.  The ftp client can make a connection to the ftp server but cannot initialize the data connection.  I have port 20 open in the firewall.  I have used passive mode in the ftp client.  The ftp client is proven to be working fine when the host is on the LAN or using an external address to connect.  Only the data connection over openvpn does not work.

I remember seeing ports in the 40000-60000 range used for the data connection from watching traffic analyzers...  I do not have these ports open in the firewall.  I'm thinking this is my issue but i'm not sure how to fix it.

The ftp client is Windows Xp/vista (multiple machines have been tried)
The firewall and openvpn are running on Red Hat Enterprise Linux 5.4




Thanks
0
Comment
Question by:SRG041808
  • 6
  • 4
11 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26082789
I think you also need port 21 for FTP and the return from the non well known ports 1024 to 65535 as well. Here is a linl to an example on Linux.
http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/
0
 

Author Comment

by:SRG041808
ID: 26099050
That is a rather big port range.. will that affect the security of the machine?

Another interesting thing is that from windows explorer (not IE) i can do ftp://username@hostname and it sees the directory listing.... does windows explorer know something that command line doesn't?
0
 

Author Comment

by:SRG041808
ID: 26100273
I found the below command after googling... any opinions?

Also I'm thinking that there must be a few more to make it work with openvpn


iptables -A INPUT -m helper --helper ftp -j ACCEPT
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 28

Expert Comment

by:lesouef
ID: 26137941
you indeed need a port range to be open  for ftp (apart from 20 and 21), even in passive mode (one way only). with some ftp servers, you can adjust this range, but still needs to be open in the VPN settings. but normally a VPN let everything through almost, so check this with your admin guy.
about IE seeing files, IE may use proxy settings that the command line ignores; on top the cmd line ftp is active by default (not completely true anymore with recent OSs). try to switch to passive before xfering a fils, if you can get this far. also you must know that commands (ls, dir, chdir...) use port 20 and 21, while data xfer needs another range of ports to be usable. so getting a list is not a full proof, check if you can send a file with IE
0
 

Author Comment

by:SRG041808
ID: 26138073
I was the one who set up the vpn... It's really weird that only windows command line doesnt work.... We use the FTP client software called "CoreFTP" and it works beautifully... I have tried using PASV with no success..  here is my error message.....192.168.1.5 is the ftp server and 192.168.1.228 is the vpn server... the last time I entered the "dir" command it just hangs and I had to CTRL+C resulting in the abortion....I'm attaching my iptables config from the vpn box

230 User logged in.
ftp> dir
500 Illegal PORT command.
425-Can't build data connection for 192.168.1.228,49654
425 connect to network object rejected
ftp> ls
425-Can't build data connection for 192.168.1.228,49654
425 connect to network object rejected
ftp> quote pasv
227 Entering Passive Mode (192,168,1,5,224,22)
ftp> dir
Aborting any active data connections...
ftp>

# Manual customization of this file is not recommended.
#let's set up NAT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.8.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5670 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 33333 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1023 -j ACCEPT
#custom commands below
-A RH-Firewall-1-INPUT -i tap0 -j ACCEPT
-A FORWARD -i tap0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tap0 -j ACCEPT
COMMIT

Open in new window

0
 
LVL 28

Expert Comment

by:lesouef
ID: 26138322
not surprised... seen this before.
above you can see the attempt on port 49654 which is rejected, confirming cmd line ftp wants to talk on this port. the diffence is probably the way the file list is (dir) requested, I know the cmd line ftp is using LIST -A which not handled the same way as the IE method. Can you create a remote folder for instance?
anyway, the solution is to open a TCP range "in" above 1024. I'll let you know if I can find more on the subject
0
 
LVL 28

Expert Comment

by:lesouef
ID: 26138355
the best source to understand, not necessarily to fix
http://www.slacksite.com/other/ftp.html
0
 

Author Comment

by:SRG041808
ID: 26138570
I have been looking at various ways to open the firewall for the ftp traffic.....I have attached stuff I have found on the net... I'm not sure which one is the way to go....

#rules for port 21
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

#rules for port 20
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 20 -m state --state ESTABLISHED -j ACCEPT

just look at them:
#never use next 2 lines!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

all connections from source port 20 or 21 are accepted, no matter where they go. obviously, 
an attacker that has full control over the computer which he uses to attack you could choose 
to start his attack from one of these ports - your system is totally open to these attacks.


#supposed way to allow ftp
modprobe ip_conntrack_ftp
iptables -A INPUT -m helper --helper ftp -j ACCEPT

is the correct way to deal with active ftp.


iptables -A FORWARD -i $eth0 -o $eth1 -p TCP --sport ftp-data --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $eth1 -o eth0 -p TCP --sport 1024:65535 --dport ftp-data -j ACCEPT

This is for the active mode.
If you want to use passive mode, change the port from "ftp-data" to "1024:65535" in the two lines above. Although I didn't try it, it should work fine.

Open in new window

0
 
LVL 28

Accepted Solution

by:
lesouef earned 2000 total points
ID: 26139735
I don't know the syntax for your FW, but if you can enable traffic 'IN' (server > client) for TCP port 1024 > 65536, you're ok. and if you restrict this from your server IP, that is safe enough.
0
 

Author Comment

by:SRG041808
ID: 26140226
OK, I'll see if I can get this in place and tested....

If anyone else knows the FW rule I need feel free to post it....

thanks
0
 

Author Closing Comment

by:SRG041808
ID: 31674601
I'm closing this question because that is the logical solution but I'm still looking for the iptables rules which is another issue.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question