Iptables related problem with filezilla

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
jejedu67
500 Command not understood
Posts: 4
Joined: 2020-05-05 11:30

Iptables related problem with filezilla

#1 Post by jejedu67 » 2020-05-05 11:38

Hello,

I want to add iptables rules on the server on which I connect to the FTP space via filezilla.

I always do it the following way and it works very well:

iptables -A INPUT -p tcp --dport 80 -s MYIP -j ACCEPT
iptables -A INPUT -p udp --dport 80 -s MYIP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p udp --dport 80 -j DROP

But when I add the ICMP rule, the connection via FTP becomes very slow whereas before it was immediate:

iptables -A INPUT -p icmp -s MYIP -j ACCEPT
iptables -A INPUT -p icmp -j DROP

Do you know why ?

I have a second problem with the FTP connection directly. I add the following rules:

iptables -A INPUT -p tcp --dport 21 -s MYIP -j ACCEPT
iptables -A INPUT -p udp --dport 21 -s MYIP -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP
iptables -A INPUT -p udp --dport 21 -j DROP

iptables -A INPUT -p tcp --dport 22 -s MYIP -j ACCEPT
iptables -A INPUT -p udp --dport 22 -s MYIP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p udp --dport 22 -j DROP

and the FTP works (but slow connection because of the icmp rules).

But, if I add that:
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP

after the FTP connexion is blocked. I don't understand why, because I allow my IP on port 21 and 22.

I see that:
Réponse : fzSftp started, protocol_version=9
Commande : open "root@MyServerIP" 22
Erreur : Connection interrompue après 20 secondes d'inactivité
Erreur : Impossible d'établir une connexion au serveur
Statut : Attente avant nouvel essai...

I use the same system with the port 3306 and it works I can show and update my databases ...

Can you help me ?

Thank you

User avatar
botg
Site Admin
Posts: 32916
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Iptables related problem with filezilla

#2 Post by botg » 2020-05-05 12:43

Don't block ICMP, it is a much needed protocol used for many useful things. It's completely benign and harmless. Why do you even want to block it?

jejedu67
500 Command not understood
Posts: 4
Joined: 2020-05-05 11:30

Re: Iptables related problem with filezilla

#3 Post by jejedu67 » 2020-05-05 13:27

Ok I remove my icmp rules, I only add
iptables -A INPUT -p icmp -j ACCEPT

But the second problem persists, I open port 21 and 22 for UDP and TCP for my IP address, and after

I add
iptables -A INPUT -p tcp --dport 21 -j DROP
iptables -A INPUT -p udp --dport 21 -j DROP
and
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p udp --dport 22 -j DROP

at this time, the FTP connection is still working, proof that ports 21 and 22 are filtered correctly.

But after I add

iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP

in order to close all other ports, and after I can't access via FTP ...

The problem is that I do the same for the 3306 ports (MYSQL) and it works after I add
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP
because before it, I allow the port 3306 for my IP adress.

But why it doesn't works for the port 22 ?

I see that filezilla use the port 53, because the connection is slow but remains possible, with the port 53 closed. I think that there are some other ports used ...

Thank you for the help

User avatar
boco
Contributor
Posts: 25109
Joined: 2006-05-01 03:28
Location: Germany

Re: Iptables related problem with filezilla

#4 Post by boco » 2020-05-05 14:04

First, port 22 is SFTP, which has nothing to do with FTP. SFTP (SSH2 subsystem) is a different service and needs a separate server software (or one supporting both FTP and SSH2).

Second, FTP uses a lot more ports than only port 21 for the data connections (hundreds to thousands of ports). That means, with only port 21 allowed, you won't be able to make any directory listings nor transfers. Unless configured in the server software, FTP can use all ports minus the first 1024 for data transfers.
FTP is not firewall-friendly as it was invented long before firewalls became the status quo.

Third, FTP uses only TCP. UDP is not used at all.


What's still odd is that, with 21 allowed, you should at least be able to make an initial connection to the server. Unless you have the occasional oddball FTP server doing reverse lookups (IDENT on port 113) and denying access if they fail.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

jejedu67
500 Command not understood
Posts: 4
Joined: 2020-05-05 11:30

Re: Iptables related problem with filezilla

#5 Post by jejedu67 » 2020-05-05 14:36

Ok thank you.

Yet I try that:

iptables -A INPUT -p tcp --dport 1:65535 -s MyIP -j ACCEPT
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP

and I have again the problem, I can't login to the FTP.

But the port 22, 80 and 3306 works, the only problem is FTP ...

Réponse : fzSftp started, protocol_version=9
Commande : open "root@MyServerIP" 22
Erreur : Connection interrompue après 20 secondes d'inactivité
Erreur : Impossible d'établir une connexion au serveur
Statut : Attente avant nouvel essai...

jejedu67
500 Command not understood
Posts: 4
Joined: 2020-05-05 11:30

Re: Iptables related problem with filezilla

#6 Post by jejedu67 » 2020-05-05 18:23

Hello,

I fixed the iptables problem.

Solution:

1) I activated the logs for all DROP packages by iptables.
2) I looked at what IP addresses are trying to access and what is the destination IP address, and what is the source port and the destination port.
3) I noticed that some packets have the source IP 127.0.0.1 and destination port named lo

Problème:
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP

It closes all ports.

I change it to:
iptables -A INPUT -i eth0 -p tcp -j DROP
iptables -A INPUT -i eth0 -p udp -j DROP

4) I note that the problem is not fixed. I showed again the dropped paquets.
5) I see that an IP by OVH try to access to my server each time that the FTP connection failed and that the host of this IP is cdns.ovh.net and that it always use the UDP protocol.
6) I add the rule:
iptables -A INPUT -p udp --dport 1:65535 -s IpByOvh -j ACCEPT
(it's not my IP adress and not the server IP adress)

And after that the problem is fixed :)

However, I find it strange that an internal IP address in OVH is trying to access my server in UDP and that if it does not succeed because of an iptables rule I cannot connect via FTP. It may be linked to an internal security system at OVH.

User avatar
botg
Site Admin
Posts: 32916
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Iptables related problem with filezilla

#7 Post by botg » 2020-05-06 07:47

Port 53 is DNS, it shouldn't be blocked, it is very much needed for hostname resolution. DNS uses both TCP and UDP. Only the DNS server's port is 53, the clients port is the entire range.

Having said all that, never use DROP, always use REJECT. Tell the sender of a packet that it is rejected, that way it will give up immediately instead of patiently waiting for a reply that will never come.

Post Reply