Iptables – Is it safe to open all UDP ports range

firewalliptables

I've setted some main ports – 20, 21, 22, 23, 53, 80, 443 for incoming and outgoing TCP connections.

If i want to connect from inside my server to another ftp server, it uses random UDP port in range 30000-60000.
So i decided to make an iptables rule:

iptables -A INPUT -p udp -m multiport --dports 1:65535 -j ACCEPT

Generally, is it safe to leave this rule? Is there any type of attacks to UDP port? Thank you.

Best Answer

FTP is using TCP exclusively. Your ftp server might use UDP to resolve ip addresses. If you are using conntrack for accepting related packets You don't need additional rules for any UPD packets (incoming DNS reply will by accepted by --state RELATED rule in your firewall).

Having said that FTP in passive mode requires establishing a TCP connection to additional port on the server. In most ftp servers You can set, a range used for that. I suggest using some random range higher ports eg. 50000-56000 (mayby outside of local port range defined in sysctl net.ipv4.ip_local_port_range). Some firewalls can snoop on ftp control connections (port 21) and open ports accordingly but You should use encryption for all Your control connections and this defeats those firewall mechanisms.

You could tighten those ports by adding -m owner --uid-owner 0 so only root can accept those connections.

TL;DR

No You don't need UDP for FTP, but You need to define a range of TCP ports if You don't want to accept all incoming TCP connections on ports > 1024.

Related Solutions

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Iptables – Firewall still blocking port 53 despite listing otherwise

I notice that zero packets have actually reached your iptables ACCEPT rules for DNS. I think it is likely that your iptables rules are specifying an inconsistent combination of conditions that never match incoming DNS queries.

In your case, your DNS ACCEPT rules specify that the incoming interface must be eth1, and the destination IP address must resolve to ns.node1.com. You should check whether incoming DNS queries to ns.node1.com can ever arrive over the eth1 network interface.

Another possibility is that you have another packet filter somewhere between your test client and your server that is blocking DNS packets.

Best Answer

Related Solutions

Iptables – ftp tls firewalled :(

Iptables – Firewall still blocking port 53 despite listing otherwise

Related Topic