Iptables – How to learn Remote FTP Server ‘s Passive Port Range

ftpiptablesnf-conntrackvsftpd

Is there any way to learn the port range of "Passive" FTP Server which is not in my authority. It is possible to set the range within configuration file. For example within vsftpd.conf :

pasv_min_port=25000
pasv_max_port=25500
#pasv_min_port=0
#pasv_max_port=0 (any port)

Since I want to apply a very restricted OUTPUT firewall (iptables) on my Linux Terminal Server, i need to know remote server's port range. Is FTP supports expose of port-range information, that clients can use of?

I am also open for any other possible solutions except the following one where i assume the server IP address as 10.1.1.1 :

-A OUTPUT -d 10.1.1.1 -j ACCEPT

Thanks for your interest…

Regards

EDIT

Thanks for @aaron-copley, @martin-prikryl, @user3590719

Answer for main question, FTP doesn't expose passive port range to the clients.

Solution of need is loading netfilter connection tracking module for FTP.

ip_conntrack_ftp (Module alias for CentOS/Red Hat : nf_conntrack_ftp)

Working example config for Red Hat 7:

/etc/sysconfig/iptables-config

IPTABLES_MODULES="nf_conntrack_ftp"

iptables rules

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.1.1.1/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -j DROP

Finally, manualy load module or restart iptables.service.

Best Answer

The passive port range is not publicly announced by an FTP server.

All you can do is to automate parallel transfers of many files to/from the server and deduce the range from the ports used for these transfers.

Related Solutions

Iptables – Flushing iptables on ubuntu

If the default policy for the chains is DENY then all connections will be cut since there's no longer any way to communicate via TCP/IP. Set the default policies to ACCEPT before flushing, and then back to DENY after re-establishing the rules.

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Related Topic