Firewall settings for passive FTP. Lokkit / IPTables / RH 9
I'm hoping someone can help me with the firewall settings on my Linode. I'm running Redhat 9 small. FTP is the standard vsftpd. I'm struggling to get the firewall settings right to allow a passive FTP connection. I'm setting things with lokkit which shows a character based 'graphical' UI. I assume this is just a friendly way of editing /etc/sysconfig/iptables. I haven't directly edited iptables yet but perhaps I need to.
In lokkit, I leave the security level 'high' and then go to 'Customize' and check the main protocols I want and add several more to the 'Other ports line'. I add pop3:tcp imap:tcp and a few others. The RH docs suggest that checking 'FTP' is enough to allow passive FTP but not Active. It seems to achieve the opposite for me. Active works fine. Passive works if I have 'No Firewall'.
I don't know much about it but I wonder if its something to do with port 20. I have now added ftp-data:tcp to the 'Other Ports' but that hasn't helped. The client hangs when doing an ls after 'Entering Passive Mode' and then 'Connecting to' a five digit port number.
The lines which I think are relevant in iptables are:
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 20 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
If you're wondering why I'm even bothering with FTP rather than the more secure SFTP via SSH its because I have a few friends / customers who just need to upload html files and vsftpd allows me to easily define a fake root to keep them in their own area. I don't think I can do that effectively with ssh.
Thanks
Ross
6 Replies
Basically, FTP is a complicated protocol in the sense that it has two connections, one control and one data. And you need special logic to keep track of this and handle it, this is where the connection tracking modules come into play. Load them up and everything will work.
> You need the ipconntrackftp module and possibly the natconntrackftp module.
Thanks. Since I hadn't had a reply here, I posted the same thing to a newsgroup yesterday and someone said to just open all ports above 1023. I've done that and it seems to work. I don't know if there is a more secure way of doing it.
I'm a bit out of my depth when it comes to modules. I notice /proc/net/ip_conntrack exists so I guess I must have that module.
Ross
Connection tracking (and thus /proc/net/ip_conntrack) is on if you have a rule with state checks, the most common is a rule to check for ESTABLISHED and RELATED states (do iptables -nvL to see if you have such a rule).
Run: modprobe ipconntrackftp
to load the FTP connection tracking module. And remove the rule to open all ports above 1023, this should make the firewall allow FTP connections and still keep you safe most of the time.
You may also want: modprobe ipconntrackirc
to enable IRC connections for DCC chats and file transfers.
modprobe: Can't open dependencies file /lib/modules/2.4.23-linode16-6um/modules.dep (No such file or directory)
Isn't that because were can't load our own modules with Linode? I don't have any ESTABLISHED and RELATED rules.
Since the Linode is just a single (virtual) machine and I control what's listening and what's not then I wonder how important the firewall really is anyway.
Ross
You might need to change into the modules directory, try: locate ipconntrackftp
It is likely to be in: /lib/modules/2.4.23-linode16-6um/kernel/net/ipv4/netfilter/
I have no idea regarding the problem above, maybe running: depmod -a
will cure it. I don't have a linode to test it. (I do consider getting one once my current contract is finished - paid for a year in advance).
If you don't have an ESTABLISHED,RELATED rule, then connection tracking is not likely to work for you anyway.
If you have an iron grip on what is running and you made sure that all services you don't want accessed from outside are locked down. Then you don't need a firewall. You can see what services are listening with: netstat -tul
I don't know enough to tell if ipconntrackftp is compiled in and therefore doesn't need to be loaded or even if that is a meaningful question to ask.
Anyway, it doesn't look like I have much of a security issue even without a firewall.
Ross