ftp data over openvpn

I am having issues with the Windows ftp client over openvpn.  The ftp client can make a connection to the ftp server but cannot initialize the data connection.  I have port 20 open in the firewall.  I have used passive mode in the ftp client.  The ftp client is proven to be working fine when the host is on the LAN or using an external address to connect.  Only the data connection over openvpn does not work.

I remember seeing ports in the 40000-60000 range used for the data connection from watching traffic analyzers...  I do not have these ports open in the firewall.  I'm thinking this is my issue but i'm not sure how to fix it.

The ftp client is Windows Xp/vista (multiple machines have been tried)
The firewall and openvpn are running on Red Hat Enterprise Linux 5.4




Thanks
SRG041808Asked:
Who is Participating?
 
lesouefConnect With a Mentor Commented:
I don't know the syntax for your FW, but if you can enable traffic 'IN' (server > client) for TCP port 1024 > 65536, you're ok. and if you restrict this from your server IP, that is safe enough.
0
 
Rick_O_ShayCommented:
I think you also need port 21 for FTP and the return from the non well known ports 1024 to 65535 as well. Here is a linl to an example on Linux.
http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/
0
 
SRG041808Author Commented:
That is a rather big port range.. will that affect the security of the machine?

Another interesting thing is that from windows explorer (not IE) i can do ftp://username@hostname and it sees the directory listing.... does windows explorer know something that command line doesn't?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
SRG041808Author Commented:
I found the below command after googling... any opinions?

Also I'm thinking that there must be a few more to make it work with openvpn


iptables -A INPUT -m helper --helper ftp -j ACCEPT
0
 
lesouefCommented:
you indeed need a port range to be open  for ftp (apart from 20 and 21), even in passive mode (one way only). with some ftp servers, you can adjust this range, but still needs to be open in the VPN settings. but normally a VPN let everything through almost, so check this with your admin guy.
about IE seeing files, IE may use proxy settings that the command line ignores; on top the cmd line ftp is active by default (not completely true anymore with recent OSs). try to switch to passive before xfering a fils, if you can get this far. also you must know that commands (ls, dir, chdir...) use port 20 and 21, while data xfer needs another range of ports to be usable. so getting a list is not a full proof, check if you can send a file with IE
0
 
SRG041808Author Commented:
I was the one who set up the vpn... It's really weird that only windows command line doesnt work.... We use the FTP client software called "CoreFTP" and it works beautifully... I have tried using PASV with no success..  here is my error message.....192.168.1.5 is the ftp server and 192.168.1.228 is the vpn server... the last time I entered the "dir" command it just hangs and I had to CTRL+C resulting in the abortion....I'm attaching my iptables config from the vpn box

230 User logged in.
ftp> dir
500 Illegal PORT command.
425-Can't build data connection for 192.168.1.228,49654
425 connect to network object rejected
ftp> ls
425-Can't build data connection for 192.168.1.228,49654
425 connect to network object rejected
ftp> quote pasv
227 Entering Passive Mode (192,168,1,5,224,22)
ftp> dir
Aborting any active data connections...
ftp>

# Manual customization of this file is not recommended.
#let's set up NAT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.8.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5670 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 33333 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1023 -j ACCEPT
#custom commands below
-A RH-Firewall-1-INPUT -i tap0 -j ACCEPT
-A FORWARD -i tap0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tap0 -j ACCEPT
COMMIT

Open in new window

0
 
lesouefCommented:
not surprised... seen this before.
above you can see the attempt on port 49654 which is rejected, confirming cmd line ftp wants to talk on this port. the diffence is probably the way the file list is (dir) requested, I know the cmd line ftp is using LIST -A which not handled the same way as the IE method. Can you create a remote folder for instance?
anyway, the solution is to open a TCP range "in" above 1024. I'll let you know if I can find more on the subject
0
 
lesouefCommented:
the best source to understand, not necessarily to fix
http://www.slacksite.com/other/ftp.html
0
 
SRG041808Author Commented:
I have been looking at various ways to open the firewall for the ftp traffic.....I have attached stuff I have found on the net... I'm not sure which one is the way to go....

#rules for port 21
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

#rules for port 20
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 20 -m state --state ESTABLISHED -j ACCEPT

just look at them:
#never use next 2 lines!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT

all connections from source port 20 or 21 are accepted, no matter where they go. obviously, 
an attacker that has full control over the computer which he uses to attack you could choose 
to start his attack from one of these ports - your system is totally open to these attacks.


#supposed way to allow ftp
modprobe ip_conntrack_ftp
iptables -A INPUT -m helper --helper ftp -j ACCEPT

is the correct way to deal with active ftp.


iptables -A FORWARD -i $eth0 -o $eth1 -p TCP --sport ftp-data --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $eth1 -o eth0 -p TCP --sport 1024:65535 --dport ftp-data -j ACCEPT

This is for the active mode.
If you want to use passive mode, change the port from "ftp-data" to "1024:65535" in the two lines above. Although I didn't try it, it should work fine.

Open in new window

0
 
SRG041808Author Commented:
OK, I'll see if I can get this in place and tested....

If anyone else knows the FW rule I need feel free to post it....

thanks
0
 
SRG041808Author Commented:
I'm closing this question because that is the logical solution but I'm still looking for the iptables rules which is another issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.