[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] IPTABLES Rule for Passive FTP



Hmm... My script lacked the ip_conntack_ftp module, and after I added it
to my script, it was no longer possible to initiate communication with
SPORT >= 1024 and DPORT>=1024 unless it is related and that's how it
should behave :-)

But now, active ftp has become possible again ... :-S

My script looks like this:
#!/bin/tcsh
#

# -------------------------------
# Declare Variables
set IPTABLES="/usr/sbin/iptables"

set HighPorts = 1024:65535

set EXT = eth1
set INT = eth0

set IF = ($EXT $INT)

set INTERNAL  = 172.19.0.0/16
set EXTERNAL  = 192.168.6.0/24
set LOGHOST   = 172.19.2.2

# -------------------------------
# Required Configuration - generall
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/sbin/modprobe ip_conntrack_ftp

# Configure Interfaces
foreach if ($IF)
  echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter
  echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects
  echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route
  echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay
  echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians
end


# -------------------------------------
# Default Policy and Flushing of chains

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X


# -------------------------------------
# Allow local processes
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT


# -------------------------------------
# Logging
$IPTABLES -A INPUT -p UDP --dport 137 -j DROP
$IPTABLES -A INPUT -p UDP --dport 138 -j DROP
$IPTABLES -A INPUT -p UDP --dport 139 -j DROP
$IPTABLES -A INPUT -p TCP --dport 137 -j DROP
$IPTABLES -A INPUT -p TCP --dport 138 -j DROP
$IPTABLES -A INPUT -p TCP --dport 139 -j DROP
$IPTABLES -A INPUT -p IP -d 172.19.255.255 -j DROP
$IPTABLES -A INPUT -p IP -d 255.255.255.255 -j DROP

$IPTABLES -N DropList
$IPTABLES -A DropList -p ICMP -j LOG --log-prefix "DROP ICMP: "
$IPTABLES -A DropList -p UDP -j LOG --log-prefix "DROP UDP : "
$IPTABLES -A DropList -p TCP -j LOG --log-prefix "DROP TCP : "
$IPTABLES -A DropList -j DROP

# --------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward


# --------------------------------------------------
# Outbound packets, allready established connections
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state
ESTABLISHED,RELATED -j ACCEPT


# ----------------------------------------------------------
# Inbound packets, allready established outbound connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,INVALID -j DropList

$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state INVALID -j
DropList


# ----------
# Syslogging
$IPTABLES -A OUTPUT -o $INT -m state --state NEW -p UDP --sport syslog
-d $LOGHOST --dport syslog -j ACCEPT


# ------------------
# Forwarding Packets

# HTTP - both directions are allowed
$IPTABLES -A FORWARD -m state --state NEW -p TCP --dport http -j ACCEPT

# Passive FTP, Outbound Control Connection
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport
$HighPorts --dport ftp -j ACCEPT

# Data Connection
$IPTABLES -A FORWARD -o $EXT -m state --state ESTABLISHED,RELATED -p TCP
--sport $HighPorts --dport $HighPorts -j ACCEPT


# ---------------------------------
# What's not explicit allowed, deny

$IPTABLES -A INPUT -j DropList
$IPTABLES -A FORWARD -j DropList
$IPTABLES -A OUTPUT -j DropList

# End of script




-----Original Message-----
From: Marc Samendinger [mailto:marc.samendinger@xxxxxxxxxxxx] 
Sent: Tuesday, July 29, 2003 3:33 PM
To: suse-security@xxxxxxxx
Subject: Re: [suse-security] IPTABLES Rule for Passive FTP

... SNIP ...
 
> I need to create a rule with IPTABLES which only allows
> passive FTP. The
> following lines accomplishes this:
> 

... SNIP ...

> My problem is, that this open the firewall from internal with source 
> port >= 1024 and destination port >= 1024 which typicalliy is used 
> only by passive ftp data connection. This behaviour is by
> recommendation not
> wanted.
>
> Is there a way to accomplish that data connection only be allowed when

> FTP control connection has taken place before hand?

Yep, my Rules for passive FTP look like this

$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 21
	-m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $j --sport 21 -d $i --dport 1024:65535
	 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport
1024:65535
	-m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $j --sport 1024:65535 -d $i --dport
1024:65535
	-m state --state RELATED,ESTABLISHED -j ACCEPT

Where $i is the ftp client and $j the ftp server.
For this to work correctly you need to load the ftp conntrack helper
module.

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here