FTP problem with IPTABLES

From: Karl Bickmore (kbickmore_at_cox.net)
Date: 07/12/03 

Date: Fri, 11 Jul 2003 18:30:19 -0700

I have a Redhat 9.0 system running as a Firewall and email server. I have
configured SNAT and everything seems to be fine except an issue with FTP.
Clients behind the firewall can login to a remote FTP site, they can CD, but
can't ls, put or get. Below are the rules in the firewall script I have for
FTP:

#I have not inlcuded all of the variables for this post, but I did add some
to help you read this.

UNPRIVPORTS="1024:65535"
EXTERNAL_INTERFACE ="eth0"
ANYWHERE="0.0.0.0/0"

 iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state
ESTABLISHED,RELATED \
        --sport 21 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state
NEW,ESTABLISHED \
        --sport $UNPRIVPORTS --dport 21 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            # Normal Port mode FTP data channels

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state
ESTABLISHED,RELATED \
        --sport 20 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state
NEW,ESTABLISHED \
        --sport $UNPRIVPORTS --dport 20 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            # Passive mode FTP data channels

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state
ESTABLISHED,RELATED \
        --sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j
ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state
NEW,ESTABLISHED \
        --sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j
ACCEPT

# Because of MASQ

        iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport
$UNPRIVPORTS --dport 20:21 -j ACCEPT
               iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport
20:21 --dport $UNPRIVPORTS -j ACCEPT
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport
$UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
               iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport
$UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT

Relevant Pages

  • Re: Is this a simple question with a simple answer?
    ... We run exchange 2000 thru a pix 515 firewall ... our first public ip allows our lan clients to get internet. ... email comes in from the outside and lands on our email server.. ...
    (microsoft.public.win2000.ras_routing)
  • Security/Firewall question
    ... I have a stand alone email server behind an Adsl router. ... The router is set to pass-thru (nat and firewall disabled). ... port goes to my Email server, ... dis purty OpenBSD box from the broken bodies of mine enemies past (a Dell ...
    (Security-Basics)
  • Re: Missing something here.....
    ... and the folks emailing you are ... >Ok, we are having a problem with our external firewall, a Symantec Firewall ... I put the email server out in a DMZ. ...
    (comp.security.firewalls)
  • Re: Missing something here.....
    ... and the folks emailing you are ... >Ok, we are having a problem with our external firewall, a Symantec Firewall ... I put the email server out in a DMZ. ...
    (comp.security.firewalls)
  • Missing something here.....
    ... Ok, we are having a problem with our external firewall, a Symantec Firewall ... I put the email server out in a DMZ. ... we were hit with the Nimda and Klez virus (damn users (well maybe damn ... blocked access to our site. ...
    (comp.security.firewalls)