# IPtables problem

## norwayi

Hello,

I have a big problem with my FTP server. 

When I insert my firewalls rules, I cannot write to the folder I access using FTP. I cannot understand why?!!

Here is my firewall script:

#!/bin/sh

ipt="/sbin/iptables"

$ipt -A INPUT -d 127.0.0.1 -j ACCEPT

# FTP

$ipt -A INPUT -p tcp --dport 21 -j ACCEPT

$ipt -A INPUT -p tcp --dport 20 -j ACCEPT

# DROP SYN

$ipt -A INPUT -p tcp --syn -j DROP

My permissions are fine: the user and the group is allowed to write and read the folder.

If I apply this my firewall script, I can not even list my existing files in that FTP account. After I flush the firewall, I can even write files to that directory.

Why is this happening?

----------

## norwayi

One more thing:

This FTP Server is behind a router (port forwarding activated, course), but even if I active the firewall and try to access locally the server (like ftp://192.168.1.2) it does the same thing.

----------

## makism

i think the last rule ($ipt -A INPUT -p tcp --syn -j DROP) is bogus.

every connection (tcp ?) is created (if i rember correctly) this way:

client  -- (syn) --> server

server -- (syn/ack) --> client

client -- (ack) --> server

so...  :Wink: 

maybe you mean something like this:

```

... -A INPUT -p tcp ! --syn ...

```

best luck!

----------

## norwayi

 *makism wrote:*   

> i think the last rule ($ipt -A INPUT -p tcp --syn -j DROP) is bogus.
> 
> every connection (tcp ?) is created (if i rember correctly) this way:
> 
> client  -- (syn) --> server
> ...

 

How come? Iptables reads the rules in the created order. So, on the FTP ports it will accept any connections, before drop-ing the SYN.

----------

## vaguy02

You are correct, the order would match the FTP first. 

My question is, What does your output table look like? Do you have default 'Accept' or 'Reject' or 'Drop'?

----------

## makism

hm.. my bad. i didn`t take the order into consideration >.<

----------

## norwayi

 *vaguy02 wrote:*   

> You are correct, the order would match the FTP first. 
> 
> My question is, What does your output table look like? Do you have default 'Accept' or 'Reject' or 'Drop'?

 

The OUTPUT chain is on ACCEPT.

----------

## Hu

Your match for loopback traffic is incomplete.  Use -i lo instead of -d 127.0.0.1.

Although effective, a simplistic drop of SYN frames is a fairly crude way to block most incoming connections.  It is preferable to use the conntrack module to DROP NEW packets if you want to block incoming connections.

Please show the full set of firewall rules and a packet capture taken when the FTP attempt fails.  Better yet, stop using FTP and switch to sftp.

----------

## norwayi

 *Hu wrote:*   

> Your match for loopback traffic is incomplete.  Use -i lo instead of -d 127.0.0.1.
> 
> Although effective, a simplistic drop of SYN frames is a fairly crude way to block most incoming connections.  It is preferable to use the conntrack module to DROP NEW packets if you want to block incoming connections.
> 
> Please show the full set of firewall rules and a packet capture taken when the FTP attempt fails.  Better yet, stop using FTP and switch to sftp.

 

Hu,

Thanks for the reply. Can you give me the command for using the conntrack? And more, can you give me full package name of the sftp server?

----------

## norwayi

Ok, I solved the problem.

In the proftpd conf file there are specified a number of passive ports.

I opened them from iptables and everything is working now.

----------

## norwayi

Hu,

I'm very curious how can I DROP the SYN's with contrack.

As far as I remember, nf_contrack is a nat module in iptables.

----------

## Hu

sftp is part of net-misc/openssh.

Use conntrack by adding -m conntrack --ctstate NEW -j DROP to your iptables rule.  You will need support for conntrack in the kernel.  See man iptables for full usage information.

----------

## norwayi

 *Hu wrote:*   

> sftp is part of net-misc/openssh.
> 
> Use conntrack by adding -m conntrack --ctstate NEW -j DROP to your iptables rule.  You will need support for conntrack in the kernel.  See man iptables for full usage information.

 

Thank you Hu.

One more thing. I don't understand WHY is better to use conntrack to drop new connections than using a simple drop syn. Where are the advantages?

----------

## Hu

For TCP, I suppose you could call it a style issue.  Where it really starts to matter is that conntrack can block unwanted virtual circuits in connectionless protocols.  Since it tracks what packets are expected for each tracked connection, it can identify attempted connections despite the lack of protocol support for indicating a connection is new.

----------

