Most of the popular web browsers (Chrome, MS Edge, FFox) forces passive FTP mode on client side when connecting to FTP server. This can be a problem if you are using ProFTP on dd-wrt router and you want to access from the WAN port (from other locations). Main problem is NAT. To solve this problem developers (on some other systems such as Gargoyle and Tomato) uses nf_conntrack_ftp and nf_nat_ftp kernel modules. On kernels above 3.5 this is depricated and using connection tracking helpers (CT helpers) is more secure and recommended. These iptables directives can achive wanted.
First of all enable USB support, Storage support and Automatic Drive Mount.
First of all enable USB support, Storage support and Automatic Drive Mount.
Then, enable ProFTP without enabling WAN access (we will do it from command line), add mountpoint and create user.
At last place this iptables directives to your firewall:
iptables -I INPUT -i `get_wanface` -p tcp --dport 20 -j ACCEPT
iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -i `get_wanface` -p tcp --dport 1024: -j ACCEPT
iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -m state --state NEW -m recent --set
iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -m conntrack --ctstate RELATED -j ACCEPT
iptables -I INPUT -m helper --helper ftp -j ACCEPT
iptables -I OUTPUT -p tcp --sport 20 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 21 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 1024: -j ACCEPT
iptables -t raw -I PREROUTING -p tcp --dport 20 -j CT --helper ftp
iptables -t raw -I PREROUTING -p tcp --dport 21 -j CT --helper ftp
iptables -t raw -I PREROUTING -p tcp --dport 1024: -j CT --helper ftp
To check if all is secure try some firewall test like GRC firewall test.
As you can notice, there are green, blue and red squares on the picture above. Green squares means that ports are stealth (invisible?) to hackers. Packets are DROPed on WAN interface on those ports. On port 21 (ProFTP port) our ddwrt unit is listening and waiting for connections so it is marked as red because packets are being ACCEPTed if credentials (username/password) are ok. We have in firewall:
iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -m state --state NEW -m recent --set
iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
this will limit hackers on 4 tries per minute.
Blue squares on port 20 and ports 1024:65565 meaning that packets are REJECTED if they are not RELATED meaning our ProFTP server is secured.
Now, check your WAN ftp access by connecting with Chrome to ftp://{public_IP} from another location.
No comments:
Post a Comment