FTP firewall issues in Passive mode

April 19, 2009 Leave a comment

In Linux, the default FTP mode is “Passive” where it is “Active” in Windows. The Passive mode FTP causes client to connect to high port in server. This high port is unpredictable and can range from 1024 to 65535 (high ports). Different client connections use different ports and it is difficult to identify the port which needs to be opened in server side to establish data connection from client in Passive mode. Normally if you use a firewall (say iptables) and block all the ports except 21 (FTP control port), the data transfer between client and server will be blocked in Passive mode.

Here is a simple solution using iptables to overcome this situation by allowing all high ports in server. (configuration will be saved in /etc/sysconfig/iptables)

-A INPUT -p tcp -m tcp -s 0/0 -d 0/0 --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp -s 0/0 -d 0/0 --dport 1024: -j ACCEPT

The INPUT chain will accept all incoming connections on any high port in server. But it is less secure and not recommended to leave your server ports open to everyone.

So here is a better solution implemented using the connection tracking mechanism for FTP in iptables. This is achieved in iptables by loading an additional module called “ip_conntrack_ftp”. This module will keep track of your established control connections and will find out the required data connections to be opened by analysing PORT command sent over the control channel. ip_conntrack_ftp module will open those required high ports only in server and allow data transfer.

You can enable this module in two ways. For loading the module on demand, execute

/sbin/modprobe ip_conntrack_ftp

And for loading it when iptable starts, modify the iptables configuration file “/etc/sysconfig/iptables-config” as given below

IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"

Addition modules can be loaded by placing their names separated by space.

So the new iptables entry will be like this

-A INPUT -p tcp -m tcp -s 0/0 -d 0/0 --dport 21 -j ACCEPT

Here you are specifying only the control connection in iptables and data connection will be opened on demand by ip_conntrack_ftp module.

Filed under Networking HOWTOs, Security HOWTOs Tagged with ,

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>