FTP Server : To control FTP server is very tricky. To be able to control FTP you must first know how the ftp server behaves. The ftp server behaves in two modes
active mode (this is default in windows)
passive mode (this is default in linux)
first we will try to understand these terms & then how to control ftp through firewall
Active FTP: one connection is made by client (FIREWALL) & other connection in opposite direction by FTP Server. in the case of stateless firewalls, active ftp poses great threats. In active ftp, the server makes connections to random ports of client (in this case FIREWALL) so from FIREWALL point of view it becomes difficult which ports to open.
How Active FTP works:
(1) client (FIREWALL) connects from port 1024 (>1023, assume 1024) to the control port (cmd port) 21 on FTP server side & also sends the PORT 192,168,0,211,154,208 .
(2) Sever acknowledges to clients control port 1024
(3) FTP server connection from data port 20 to client's (FIREWALL) data port (154x256+208=39632)
(4) client (FIREWALL) sends acknowledgement from data port 39632 to FTP server data port 20
we have written following rules keeping in mind above scenario
# iptables -t filter -A OUTPUT -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -t filter -A INPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT
# iptables -t filter -A INPUT -p tcp –sport 20 -m state –state ESTABLISHED,RELATED -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp –dport 20 -m state –state ESTABLISHED -j ACCEPT
Passive FTP: both the connections are made by the client (FIREWALL) in the same direction, one of them to port higher than 1023 on server side.
How Passive FTP works:
(1) client (FIREWALL) connects from port 1024 (>1023, assume 1024) to the control port (cmd port) 21 on FTP server side & also sends the PASV.
(2) Sever acknowledges to clients control port 1024 & sends 192,168,0,201,122,8
(3) client connection from data port 1025 to FTP server data port (122x256+8=31240)
(4) Server sends acknowledgement from data port 31240 to client (FIREWALL) data port 1025
we have written following rules keeping in mind above scenario
# iptables -t filter -A OUTPUT -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -t filter -A INPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp –sport 1024: --dport 1024: -m state –state ESTABLISHED,RELATED -j ACCEPT
# iptables -t filter -A INPUT -p tcp –sport 1024: --dport 1024: -m state –state ESTABLISHED -j ACCEPT
NEW : a client requesting new connection
ESTABLISHED: a connection that is part of already established connection
RELATED: a connection that is requesting a new connection but part of existing connection
INVALID: if none of the above states then invalid Full Course on Mastering Iptables Firewall available at Udemy. Join Course
No comments:
Post a Comment