Linux Iptables Active / Passive FTP

Active FTP

From the server-side firewall’s standpoint, to support active mode FTP the following
communication channels need to be opened:

* FTP server’s port 21 from anywhere (Client initiates connection)
* FTP server’s port 21 to ports > 1024 (Server responds to client’s control port)
* FTP server’s port 20 to ports > 1024 (Server initiates data connection to client’s data port)
* FTP server’s port 20 from ports > 1024 (Client sends ACKs to server’s data port)

Active FTP

The sequence of events for active FTP is:

1. Your client connects to the FTP server by establishing an FTP control connection to
port 21 of the server. Your commands such as ‘ls’ and ‘get’ are sent over this connection.

2. Whenever the client requests data over the control connection, the server initiates data
transfer connections back to the client. The source port of these data transfer connections is always
port 20 on the server, and the destination port is a high port (greater than 1024) on the client.

3. Thus the ls listing that you asked for comes back over the port 20 to high port connection,
not the port 21 control connection.

FTP active mode therefore transfers data in a counter intuitive way to the TCP standard,
as it selects port 20 as it’s source port (not a random high port that’s greater than 1024) and
connects back to the client on a random high port that has been pre-negotiated on the
port 21 control connection.

Active FTP may fail in cases where the client is protected from the Internet via many to one
NAT (masquerading). This is because the firewall will not know which of the many servers behind it
should receive the return connection.

Passive FTP

Passive FTP works differently:

1. Your client connects to the FTP server by establishing an FTP control connection to port 21
of the server. Your commands such as ls and get are sent over that connection.

2. Whenever the client requests data over the control connection, the client initiates the data transfer
connections to the server. The source port of these data transfer connections is always a high port on
the client with a destination port of a high port on the server.

Passive FTP should be viewed as the server never making an active attempt to connect to the client
for FTP data transfers. Because client always initiates the required connections,

Passive FTP works better for clients protected by a firewall.

The main problem with active mode FTP actually falls on the client side.
The FTP client doesn’t make the actual connection to the data port of the server–it
simply tells the server what port it is listening on and the server connects back to the
specified port on the client.

From the client side firewall this appears to be an outside system initiating a connection
to an internal client–something that is usually blocked.

Linux Iptables Commands :

iptables -A INPUT -p tcp –dport ftp -j ACCEPT
iptables -A INPUT -p tcp –dport ftp-data -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport ftp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport ftp-data -j ACCEPT

/sbin/modprobe ip_conntrack_ftp
iptables -A INPUT -p TCP -i eth0 –dport 21 -m state –state NEW -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

Summary

The following chart should help admins remember how each FTP mode works:

Active FTP :
command : client >1024 -> server 21
data : client >1024 <- server 20

Passive FTP :
command : client >1024 -> server 21
data : client >1024 -> server >1024

As Windows defaults to active FTP, and Linux defaults to passive,
you'll  probably have to accommodate both forms when deciding upon
a security  policy for your FTP server.

Client Protected by a Firewall Problem.

Typically firewalls don't allow incoming connection at all, which
frequently blocks active FTP from functioning. Active FTP connections
appears to work when the client initiates an outbound connection to the
server on port 21.

The connection then appears to hang,, how ever, as soon as you use the
ls,dir, or get commands. The reason is that the firewall is blocking the
return traffic connection from the server to the client (from port 20
on the server to a high port on the client).

If a firewall allows all outbound connections to the internet,
then passive FTP clients behind a firewall will usually work correctly as
the clients initiate all the FTP connections.

January 24, 2011 7:43 pm

IpTables, Linux

(Permalink)

No comments yet.

Tags: active ftp, ftp, linux ftp, passive, passive ftp

by admin

Cisco ASA FTP Access-List

ASA Version 7.2(2)
!
hostname ASA-AIP-CLI
domain-name corp.com
enable password WwXYvtKrnjXqGbu1 encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
  security-level 50
  ip address 172.16.1.12 255.255.255.0
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
  no nameif
 no security-level
 no ip address
!

!--- Output is suppressed.


!--- Permit inbound FTP control traffic. 

access-list 100 extended permit tcp any host 192.168.1.5 eq ftp

!--- Permit inbound FTP data traffic.

access-list 100 extended permit tcp any host 192.168.1.5 eq ftp-data
!

!--- Command to redirect the FTP traffic received on IP 192.168.1.5
!--- to IP 172.16.1.5.

static (DMZ,outside) 192.168.1.5 172.16.1.5 netmask 255.255.255.255
access-group 100 in interface outside
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!

!--- This command tells the device to
!--- use the "global_policy" policy-map on all interfaces.

service-policy global_policy global

LAN Outbound FTP Access : 

access-list inside extended permit tcp host 10.1.1.254 any eq ftp

Create Object group in order to tidy config :

object-group service Bluecoatbypass tcp
 description Bypass for bluecoat server
 port-object eq echo
 port-object eq irc
 port-object eq ftp-data
 port-object range 3389 3389
 port-object eq domain
 port-object range 8080 8080
 port-object eq pop3
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq 1935
 port-object eq ssh
!
Create Access-list :
access-list inside extended permit tcp host 10.1.1.254
any object-group Bluecoatbypass

Verify :
show access-list | grep ftp | grep 10.1.1.254
show service-policy inspect ftp
show service-policy global

July 21, 2010 10:55 am

Cisco ASA

(Permalink)

No comments yet.

Tags: access-list, Asa Acl, Cisco ASA, ftp

by admin

Networking-Blog

Categories

Linux Iptables Active / Passive FTP

Cisco ASA FTP Access-List