FTP Passive thru DDWRT w/IPtables and special sauce

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
securedparty
DD-WRT Novice


Joined: 07 Dec 2017
Posts: 17

PostPosted: Fri Jan 28, 2022 14:33    Post subject: FTP Passive thru DDWRT w/IPtables and special sauce Reply with quote
I want to share a very special configuration that took me a lot of trial and error to finally figure out.

This is a configuration for a FTP Server using FTP Passive protocol on non-standard ports.

This isn't exact, VERBATIM, to what I have. I just placed <FTP_IP> in for places where an IP address is used.

The idea is to permit incoming port 21000 thru the firewall, but translate it to 2100. FTP server uses ports 21001 and 21021 for Passive FTP connections. The FTP server itself on the LAN side uses 2100, outside connections use 21000.

I wanted to create an FTP server that would have absolutely NO OTHER traffic go to the outside world.

Code:
#ALLOW [FTP] INCOMING TRAFFIC.
iptables -I PREROUTING 1 -t nat -p tcp --dport 21000 -j DNAT --to <FTP_IP>:2100
iptables -I PREROUTING 1 -t nat -p tcp --dport 21001:21021 -j DNAT --to <FTP_IP>
iptables -I FORWARD 1 -p tcp -d <FTP_IP> --dport 2100 -j ACCEPT #logaccept
iptables -I FORWARD 1 -p tcp -d <FTP_IP> --dport 21001:21021 -j ACCEPT #logaccept
iptables -I FORWARD 1 -p tcp -s <FTP_IP> --sport 2100 -j ACCEPT #logaccept
iptables -I FORWARD 1 -p tcp -s <FTP_IP> --sport 21001:21021 -j ACCEPT #logaccept


#BLOCK ALL OTHER OUTGOING TRAFFIC.
iptables -I FORWARD 9 -s <FTP_IP> -j DROP #logdrop


Break downs...

Code:
iptables -I PREROUTING 1 -t nat -p tcp --dport 21000 -j DNAT --to <FTP_IP>:2100

Insert PREROUTING, rule chain number "1", using NAT, protocol TCP, destination port 21000, jump the Destination NAT to the Local IP address of FTP server on port 2100.

Outside connections use WAN ip address, target port 21000, then translates to local IP of FTP server on port 2100.

Code:
iptables -I PREROUTING 1 -t nat -p tcp --dport 21001:21021 -j DNAT --to <FTP_IP>

Insert PREROUTING, (same) rule chain number "1", using NAT, protocol TCP, destination port 21001 thru 21021, jump the Destination NAT to the Local IP address of FTP server.

Outside connections will have passive ports 21001 to 21021 passed on to the local IP address of the FTP server.

Code:
iptables -I FORWARD 1 -p tcp -d <FTP_IP> --dport 2100 -j ACCEPT #logaccept

Explicitly allows the FTP server, which is on the local network, be the destination of a connection made from the outside on port 2100.

Code:
iptables -I FORWARD 1 -p tcp -d <FTP_IP> --dport 21001:21021 -j ACCEPT #logaccept

Explicitly allows the FTP server, which is on the local network, be the destination of a connection made from the outside on ports 21001 thru 21021.

Code:
iptables -I FORWARD 1 -p tcp -s <FTP_IP> --sport 2100 -j ACCEPT #logaccept

Explicitly allows the FTP server, which is on the local network, be the source of a connection, allowing a connection to the outside world, on port 2100.

Code:
iptables -I FORWARD 1 -p tcp -s <FTP_IP> --sport 21001:21021 -j ACCEPT #logaccept

Explicitly allows the FTP server, which is on the local network, be the source of a connection, allowing a connection to the outside world, on ports 21001 thru 21021.


Code:
#BLOCK ALL OTHER OUTGOING TRAFFIC.
iptables -I FORWARD 9 -s <FTP_IP> -j DROP #logdrop

Input type FORWARD (going thru local gateway), rule chain number "9" (which is later than all of the above), source is <FTP_IP>, jump to DROP and thereby discarding with no reply from router on the fate of these outgoing connections.



So what you have is an IPtables ruleset for DDWRT, for allowing an FTP server to receive a connection from the outside world on port 21000, converts it to port 2100 transparently to the FTP client, and the connections allow are explicit, with ALL OTHER traffic from or to <FTP_IP> to be ignored and dropped.

This is a fairly plain allowance. Some quirky things with IPtables in DDWRT that I experienced was if I used high rule numbers for chains (usually above 9), things would misbehave badly.

One other quirky oddity, is that since the FTP server itself was not allowed to connect out for other reasons, I had to set the WAN_IP that the FTP server used to a manual number. This means any time my WAN IP changes, I need to update the FTP server. The automatic retrieval of the WAN IP is not possible, as any connections not related to the desired FTP operations are dropped, which includes the FTP servers ability to connect out and determine the WAN IP.

So I kept the rule chains to "1" and ending with "9" where all other unspecified connections were dropped.

I hope some folks find this helpful. I am by no means an expert, but rather a motivated amateur in this instance. Wanted to share, so others could have the same success I did.[/code]
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 840
Location: All over YOUR webs

PostPosted: Wed Apr 06, 2022 14:14    Post subject: Reply with quote
Thanks for the share.
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 9607
Location: Netherlands

PostPosted: Wed Apr 06, 2022 14:28    Post subject: Reply with quote
Thanks for sharing.

I use the GUI to port forward (you need to port forward for FTP and also port forward a range for SFTP, the same range you define in your FTP program)

Note that using line numbers for ip rules is not recommended as they are not fixed so it is totally unreliable.

Furthermore anything which is not allowed is dropped by default so an extra drop rule should not be necessary.

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum