[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [suse-security] IPTABLES Rule for Passive FTP
Hmm... My script lacked the ip_conntack_ftp module, and after I added it
to my script, it was no longer possible to initiate communication with
SPORT >= 1024 and DPORT>=1024 unless it is related and that's how it
should behave :-)
But now, active ftp has become possible again ... :-S
My script looks like this:
#!/bin/tcsh
#
# -------------------------------
# Declare Variables
set IPTABLES="/usr/sbin/iptables"
set HighPorts = 1024:65535
set EXT = eth1
set INT = eth0
set IF = ($EXT $INT)
set INTERNAL = 172.19.0.0/16
set EXTERNAL = 192.168.6.0/24
set LOGHOST = 172.19.2.2
# -------------------------------
# Required Configuration - generall
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/sbin/modprobe ip_conntrack_ftp
# Configure Interfaces
foreach if ($IF)
echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians
end
# -------------------------------------
# Default Policy and Flushing of chains
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
# -------------------------------------
# Allow local processes
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
# -------------------------------------
# Logging
$IPTABLES -A INPUT -p UDP --dport 137 -j DROP
$IPTABLES -A INPUT -p UDP --dport 138 -j DROP
$IPTABLES -A INPUT -p UDP --dport 139 -j DROP
$IPTABLES -A INPUT -p TCP --dport 137 -j DROP
$IPTABLES -A INPUT -p TCP --dport 138 -j DROP
$IPTABLES -A INPUT -p TCP --dport 139 -j DROP
$IPTABLES -A INPUT -p IP -d 172.19.255.255 -j DROP
$IPTABLES -A INPUT -p IP -d 255.255.255.255 -j DROP
$IPTABLES -N DropList
$IPTABLES -A DropList -p ICMP -j LOG --log-prefix "DROP ICMP: "
$IPTABLES -A DropList -p UDP -j LOG --log-prefix "DROP UDP : "
$IPTABLES -A DropList -p TCP -j LOG --log-prefix "DROP TCP : "
$IPTABLES -A DropList -j DROP
# --------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
# --------------------------------------------------
# Outbound packets, allready established connections
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state
ESTABLISHED,RELATED -j ACCEPT
# ----------------------------------------------------------
# Inbound packets, allready established outbound connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,INVALID -j DropList
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state INVALID -j
DropList
# ----------
# Syslogging
$IPTABLES -A OUTPUT -o $INT -m state --state NEW -p UDP --sport syslog
-d $LOGHOST --dport syslog -j ACCEPT
# ------------------
# Forwarding Packets
# HTTP - both directions are allowed
$IPTABLES -A FORWARD -m state --state NEW -p TCP --dport http -j ACCEPT
# Passive FTP, Outbound Control Connection
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport
$HighPorts --dport ftp -j ACCEPT
# Data Connection
$IPTABLES -A FORWARD -o $EXT -m state --state ESTABLISHED,RELATED -p TCP
--sport $HighPorts --dport $HighPorts -j ACCEPT
# ---------------------------------
# What's not explicit allowed, deny
$IPTABLES -A INPUT -j DropList
$IPTABLES -A FORWARD -j DropList
$IPTABLES -A OUTPUT -j DropList
# End of script
-----Original Message-----
From: Marc Samendinger [mailto:marc.samendinger@xxxxxxxxxxxx]
Sent: Tuesday, July 29, 2003 3:33 PM
To: suse-security@xxxxxxxx
Subject: Re: [suse-security] IPTABLES Rule for Passive FTP
... SNIP ...
> I need to create a rule with IPTABLES which only allows
> passive FTP. The
> following lines accomplishes this:
>
... SNIP ...
> My problem is, that this open the firewall from internal with source
> port >= 1024 and destination port >= 1024 which typicalliy is used
> only by passive ftp data connection. This behaviour is by
> recommendation not
> wanted.
>
> Is there a way to accomplish that data connection only be allowed when
> FTP control connection has taken place before hand?
Yep, my Rules for passive FTP look like this
$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 21
-m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $j --sport 21 -d $i --dport 1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport
1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $j --sport 1024:65535 -d $i --dport
1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
Where $i is the ftp client and $j the ftp server.
For this to work correctly you need to load the ftp conntrack helper
module.
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here