0

I am trying to set iptables so a CLIENT computer can use FTP/FTPS with passive mode.

I have already set majority rules by ufw - short extract (skipped listing of IPv6 and other rules for the sake of clarity):

Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
20/tcp                     ALLOW OUT   Anywhere                   # FTP Data
21/tcp                     ALLOW OUT   Anywhere                   # FTP Command
22                         ALLOW OUT   Anywhere                   # FTPS
989                        ALLOW OUT   Anywhere                   # FTPS
21                         ALLOW OUT   Anywhere                   # FTP

when I add a rule by ufw:

sudo ufw allow out from any to any port 1025:65535 proto tcp comment "Ephemeral TCP"

Everything works well - a Client can conenct to FTPS and list dir tree + download files.
UFW rules are:

Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
20/tcp                     ALLOW OUT   Anywhere                   # FTP Data
21/tcp                     ALLOW OUT   Anywhere                   # FTP Command
22                         ALLOW OUT   Anywhere                   # FTPS
989                        ALLOW OUT   Anywhere                   # FTPS
21                         ALLOW OUT   Anywhere                   # FTP
1025:65535/tcp             ALLOW OUT   Anywhere                    # Ephemeral TCP

but this rule:

1025:65535/tcp             ALLOW OUT   Anywhere                    # Ephemeral TCP

has unwanted effect that any communication is allowed form a Client computer to any IP

That's why I wanted to not use it as UFW rule but set iptables instead with this command:

sudo iptables -I OUTPUT 1 -m state --state ESTABLISHED -j ACCEPT

so only outgoing communication to the IP that was previously established is allowed.

so we have UFW rules as in frist listing - without

1025:65535/tcp             ALLOW OUT   Anywhere                    # Ephemeral TCP

and iptables listing

sudo iptables -L -n --line-numbers

that gives this output:

Chain OUTPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
2    ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
3    ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0           
4    ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0           
5    ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
6    ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0           
7    ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0

but this does not work and FTPS client can reach server but cant't list dir tree, download any files. The outgoing communication is blocked by UFW 

cat /var/log/syslog

gives output:

[UFW BLOCK] IN= OUT=wl0 SRC=192.xxx.xxx.xxx DST=215.xxx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8271 DF PROTO=TCP SPT=43379 DPT=27918 WINDOW=29200 RES=0x00 SYN URGP=0

I tried to issue comands after updating rules of OUTPUT chain in iptables:

sudo iptables-save #echoes all rules, seems not having a problem
sudo iptables-restore #hang ups, needs termination CTRL+C

but it made no difference.

and:

sudo iptables-apply

gives this error:

Error: rulesfile not readable: /etc/network/iptables.up.rules

some questions:

  1. Why adding established rule to the OUTPUT chain in iptables does not make any difference where adding rule to UFW helps?

  2. How to add a rule to iptables so it is allowed to connect to FTP/FTPS server on Ephemeral TCP, but only if the connection is preceded by another one to the same IP.

  3. How to apply a new rule set in iptables so it is persistent and loaded on boot same as UFW rules are?

  4. In general - it is a good idea to use UFW with iptables or should I simply uninstall UFW, and use just iptables instead? I would rather rewrite all UFW rules to iptables if it makes more simple life and good practice than try to combine these tools usage.

Jimmix
  • 121
  • 5

1 Answers1

0

FTP passive mode needs connections to ephemeral ports on the FTP server since the actual data transfer is done over different TCP connections.

You could try with some FTP helper (ip_conntrack_ftp) which inspects the FTP control channel and extracts the ports to only open these connections. But this will usually not work with implicit FTPS (port 990) since the control channel is encrypted. And while explicit FTPS (port 21) supports to encrypt the control channel only for authentication not all FTP clients support this behavior - which again makes use of an FTP helper impossible.

In short: don't use FTP. It is a terrible protocol if NAT or firewalls are involved. Use SFTP instead (i.e. file transfer over SSH) which is a completely different protocol and only needs a single port (22) too.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • I'm using (currently) explicit TLS in FTPS, Unlucky I'm not able to make a choice weather to use FTP(S) or not since it is defined at the server out of my control. I'm far away from using the FTP itself. In majority cases from a CLIENT point of view you aren't decision maker about use of FTP or not at the server so you either bend yours system the way you'll download data or you'll end up not having the data. I will try the FTP helper and let you know if it helped. – Jimmix May 08 '19 at 15:11