subject:"Re\: \[LARTC\] DNAT rule for vsftp \(PASSIVE FTP\)"

[Fwd: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)]

2007-10-05 Thread Mohan Sundaram


Grant Taylor wrote:

I'll have to double check some things to make sure that you don't need 
to do any thing special other than just allow the initial connection and 
rely on the FTP connection tracking helper to handle all other connections.


I've never run an FTP server behind a NAT, but I've never had a problem 
with the FTP client behind the NAT with the above modules loaded. Though 
it is my understanding that the module will take care of both.


Yes nothing extra except state to be used is related in iptables. I had
sent a mail but do not know if it reached the list.

Mohan

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Fwd: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)]

2007-10-05 Thread Mohan Sundaram

 Original Message 
Subject: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)
Date: Fri, 05 Oct 2007 12:17:42 +0530
From: Mohan Sundaram <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Indunil Jayasooriya <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>

Indunil Jayasooriya wrote:

Hi all,

I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as 
passive ftp.

the theroy behind passive ftp is ,

* FTP server's port 21 from anywhere ( Client initiates connection)
* FTP server's port 21 to ports > 1024 (Server responds to client's
  control port)
* FTP server's ports > 1024 from anywhere (Client initiates data
  connection to random port specified by server)
* FTP server's ports > 1024 to remote ports > 1024 (Server sends
  ACKs (and data) to client's data port)

Then, How can I write DNAT rules.

pls assume 1.2.3.4 <http://1.2.3.4> is the ip of the internert interface.

#DNAT from Internet to the box running VSFTP @ 192.168.100.3 
<http://192.168.100.3>
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> 
--dport 21 -j DNAT --to-destination 192.168.100.3:21 
<http://192.168.100.3:21>
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> 
--dport 1024: -j DNAT --to-destination 192.168.100.3 <http://192.168.100.3>

And also
#connect to below ip (actual destination ip) with below ports,due to 
DNATing
iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> 
--dport 21 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> 
--dport 1024: -m state --state NEW -j ACCEPT

R u okay with the above 4 rules ?

If WRONG, pls write down your rules. I am going to put this vsftp server 
in to PRODUCTION USE.

Pls also make sure , my firewall has below rules such as DROP, 
ESTABLISHED,RELATED.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

YOUR comments.

--
Thank you
Indunil Jayasooriya

If you want to run apps with different ports for control and data, you
need to run ALG or Connection tracking helper ip_conntrack_ftp.

Extracted from
http://www.kalamazoolinux.org/presentations/20010417/conntrack.html

Connection tracking and ftp

Firstly, you need to load the ip_conntrack_ftp module.

Assuming you have a single-homed box, a simple ruleset to allow an ftp
connection would be:

iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT

(Please note, I am assuming here you have a separate ruleset to allow
any icmp RELATED to the conection. Please see my example ruleset for this).

This is not the whole story. An ftp connection also needs a
data-channel, which can be provided in one of two ways:

1) Active ftp

The ftp client sends a port number over the ftp channel via a PORT
command to the ftp server. The ftp server then connects from port 20 to
this port to send data, such as a file, or the output from an ls
command. The ftp-data connection is in the opposite sense from the
original ftp connection.

To allow active ftp without knowing the port number that has been passed
we need a general rule which allows connections from port 20 on remote
ftp servers to high ports (port numbers > 1023) on ftp clients. This is
simply too general to ever be secure.

Enter the ip_conntrack_ftp module. This module is able to recognize the
PORT command and pick-out the port number. As such, the ftp-data
connection can be classified as RELATED to the original outgoing
connection to port 21 so we don't need NEW as a state match for the
connection in the INPUT chain. The following rules will serve our
purposes grandly:

iptables -A INPUT -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

2) Passive ftp

A PORT command is again issued, but this time it is from the server to
the client. The client connects to the server for data transfer. Since
the connection is in the same sense as the original ftp connection,
passive ftp is inherently more secure than active ftp, but note that
this time we know even less about the port numbers. Now we have a
connection between almost arbitrary port numbers.

Enter the ip_conntrack_ftp module once more. Again, this module is able
to recognize the PORT command and pick-out the port number. Instead of
NEW in the state match for the OUTPUT chain, we can use RELATED. The
following rules will suffice:

iptables -A INPUT -p tcp --sport 1024: --dport 1024:  -m state
--state ESTABLISHED -j

Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)

2007-10-05 Thread Grant Taylor


On 10/05/07 02:16, Indunil Jayasooriya wrote:
What is FTP helper module? 


As I understand it, the Connection Tracking FTP helper module is 
essentially a small module / algorithm that you load in to the 
Connecting Tracking structure (via the below modules) to watch what ftp 
commands you send out and / or receive so that it can dynamically on the 
fly update the connection tracking table to allow the other negotiated 
ports that FTP uses through statefull packet inspection.  In other words 
you should not need to write explicit rules for control and data 
connections be it active or passive.



is it ip_nat_ftp ?


Yes.


ANYWAY,  I have  loaded below  2 modules.

/sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp  


YOUR COMMENTS.


That should work.

I'll have to double check some things to make sure that you don't need 
to do any thing special other than just allow the initial connection and 
rely on the FTP connection tracking helper to handle all other connections.


I've never run an FTP server behind a NAT, but I've never had a problem 
with the FTP client behind the NAT with the above modules loaded. 
Though it is my understanding that the module will take care of both.




Grant. . . .
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)

2007-10-05 Thread Indunil Jayasooriya

On 10/5/07, Grant Taylor <[EMAIL PROTECTED]> wrote:
>
> On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote:
> > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as
> > passive ftp.
>
> Ok...
>
> > Then, How can I write DNAT rules.
>
> You don't want to write rules for each possible combination.
>
> > YOUR comments.
>
> Use the FTP helper module as it is meant to take care of this for you.
>
> What is FTP helper module?


is it ip_nat_ftp ?

ANYWAY,  I have  loaded below  2 modules.

/sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp

YOUR COMMENTS.


Grant. . . .
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>



-- 
Thank you
Indunil Jayasooriya
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)

2007-10-04 Thread Grant Taylor


On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote:
I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as 
passive ftp.


Ok...


Then, How can I write DNAT rules.


You don't want to write rules for each possible combination.


YOUR comments.


Use the FTP helper module as it is meant to take care of this for you.



Grant. . . .
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Fwd: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)]

[Fwd: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)]

Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)

Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)

Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)

5 matches

Site Navigation

Mail list logo

Footer information