* passive mode ftp high ports driving me nuts
@ 2010-01-07 19:13 MargoAndTodd
2010-01-08 10:24 ` Mart Frauenlob
0 siblings, 1 reply; 8+ messages in thread
From: MargoAndTodd @ 2010-01-07 19:13 UTC (permalink / raw)
To: netfilter
Hi All,
In my firewall, I deny all and then allow what
services though that I want. Problem: on
passive mode ftp, where the second connection is
estabilshed using random high ports, other
services are using my (last three) ftp rules.
My passive mode rules:
/etc/sysconfig/iptables-config:
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp
ip_conntrack_tftp"
unassgn=1024:65535
$tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn
--dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
$tbls -A dsl-in -i eth1 -p tcp ! --syn --sport ftp -d $eth1_addr
--dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-for -i eth1 -p tcp ! --syn --sport ftp -d $internal_net
--dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
# The "ftpdata" session is a "new" one when it sends the SYN. However,
the ftp_conntrack module marks it as related to its controlling
# ftp session, so that state=related matches. This should deny any
"ftpdata" session that doesn't have a controlling ftp session.
$tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn -d
$ANY_IP --dport $unassgn -m state --state RELATED,ESTABLISHED
-j ACCEPT
$tbls -A dsl-in -i eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn
-d $eth1_addr --dport $unassgn -m state --state RELATED,ESTABLISHED
-j ACCEPT
$tbls -A dsl-for -i eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn
-d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED
-j ACCEPT
It is the "--sport $unassgn --dport $unassgn" that is killing me.
How do I restrict the last three to just passive mode ftp?
Also, what is the lowest port that the random passive mode ftp
port will choose? 20,000? That may be all I need to do.
Many thanks,
-T
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: passive mode ftp high ports driving me nuts
2010-01-07 19:13 passive mode ftp high ports driving me nuts MargoAndTodd
@ 2010-01-08 10:24 ` Mart Frauenlob
2010-01-08 16:09 ` MargoAndTodd
2010-01-09 2:59 ` MargoAndTodd
0 siblings, 2 replies; 8+ messages in thread
From: Mart Frauenlob @ 2010-01-08 10:24 UTC (permalink / raw)
To: netfilter
On 07.01.2010 20:13, MargoAndTodd wrote:
> Hi All,
>
> In my firewall, I deny all and then allow what
> services though that I want. Problem: on
> passive mode ftp, where the second connection is
> estabilshed using random high ports, other
> services are using my (last three) ftp rules.
>
> My passive mode rules:
>
> /etc/sysconfig/iptables-config:
> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp
> ip_conntrack_tftp"
>
> unassgn=1024:65535
> $tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn
> --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
>
> $tbls -A dsl-in -i eth1 -p tcp ! --syn --sport ftp -d $eth1_addr
> --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> $tbls -A dsl-for -i eth1 -p tcp ! --syn --sport ftp -d $internal_net
> --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # The "ftpdata" session is a "new" one when it sends the SYN. However,
> the ftp_conntrack module marks it as related to its controlling
> # ftp session, so that state=related matches. This should deny any
> "ftpdata" session that doesn't have a controlling ftp session.
>
> $tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn -d
> $ANY_IP --dport $unassgn -m state --state RELATED,ESTABLISHED -j
> ACCEPT
>
> $tbls -A dsl-in -i eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn
> -d $eth1_addr --dport $unassgn -m state --state RELATED,ESTABLISHED
> -j ACCEPT
>
> $tbls -A dsl-for -i eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn
> -d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED
> -j ACCEPT
>
>
> It is the "--sport $unassgn --dport $unassgn" that is killing me.
> How do I restrict the last three to just passive mode ftp?
>
use the 'helper' match extension. i.e: -m helper --helper ftp.
if you need to distinguish between active and passive, you still can use
the port and state matches for that.
> Also, what is the lowest port that the random passive mode ftp
> port will choose? 20,000? That may be all I need to do.
personally i never had problems using '1024:' as unassigned/unprivileged
port range. but as stated before, this is obsolete and / or irrelevant.
the helper match will select the appropriate packets.
>
> Many thanks,
> -T
regards
Mart
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: passive mode ftp high ports driving me nuts
2010-01-08 10:24 ` Mart Frauenlob
@ 2010-01-08 16:09 ` MargoAndTodd
2010-01-08 16:40 ` Mart Frauenlob
2010-01-09 2:59 ` MargoAndTodd
1 sibling, 1 reply; 8+ messages in thread
From: MargoAndTodd @ 2010-01-08 16:09 UTC (permalink / raw)
To: netfilter
>> It is the "--sport $unassgn --dport $unassgn" that is killing me.
>> How do I restrict the last three to just passive mode ftp?
>>
On 01/08/2010 02:24 AM, Mart Frauenlob wrote:
> use the 'helper' match extension. i.e: -m helper --helper ftp.
> if you need to distinguish between active and passive, you still can use
> the port and state matches for that.
Hi Mart,
Thank you!
Can you point me to the directions/manual for the
"-m helper --helper ftp" so I can figure out what
exactly it is doing and how to install it?
Many thanks,
-T
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: passive mode ftp high ports driving me nuts
2010-01-08 16:09 ` MargoAndTodd
@ 2010-01-08 16:40 ` Mart Frauenlob
0 siblings, 0 replies; 8+ messages in thread
From: Mart Frauenlob @ 2010-01-08 16:40 UTC (permalink / raw)
To: netfilter
On 08.01.2010 17:09, MargoAndTodd wrote:
>>> It is the "--sport $unassgn --dport $unassgn" that is killing me.
>>> How do I restrict the last three to just passive mode ftp?
>>>
>
> On 01/08/2010 02:24 AM, Mart Frauenlob wrote:
>> use the 'helper' match extension. i.e: -m helper --helper ftp.
>> if you need to distinguish between active and passive, you still can use
>> the port and state matches for that.
>
> Can you point me to the directions/manual for the
> "-m helper --helper ftp" so I can figure out what
> exactly it is doing and how to install it?
>
> Many thanks,
> -T
iptables -m helper -h
man iptables
find /lib/modules/ -name '*helper*' -exec modinfo '{}' \;
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#HELPERMATCH
if your iptables / kernel don't have support for the helper match ->
time to upgrade!?
regards
Mart
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: passive mode ftp high ports driving me nuts
2010-01-08 10:24 ` Mart Frauenlob
2010-01-08 16:09 ` MargoAndTodd
@ 2010-01-09 2:59 ` MargoAndTodd
2010-01-09 13:55 ` Mart Frauenlob
1 sibling, 1 reply; 8+ messages in thread
From: MargoAndTodd @ 2010-01-09 2:59 UTC (permalink / raw)
To: netfilter
On 01/08/2010 02:24 AM, Mart Frauenlob wrote:
>> It is the "--sport $unassgn --dport $unassgn" that is killing me.
>> How do I restrict the last three to just passive mode ftp?
>>
>
> use the 'helper' match extension. i.e: -m helper --helper ftp.
> if you need to distinguish between active and passive, you still can use
> the port and state matches for that.
Hi Mart,
Works perfectly. Thank you!
-T
p.s. my new rules:
# ftp passive mode (browser) stuff. Note: ftp_conntrack module is
required, e.g.:
# /etc/sysconfig/iptables-config:
# IPTABLES_MODULES="ip_conntrack_ftp"
#
$tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn
--dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
$tbls -A dsl-in -i eth1 -p tcp ! --syn --sport ftp -d $eth1_addr
--dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-for -i eth1 -p tcp ! --syn --sport ftp -d $internal_net
--dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
# The "ftpdata" session is a "new" one when it sends the SYN. However,
the ftp_conntrack module marks it as related to its controlling
# ftp session, so that state=related matches. This should deny any
"ftpdata" session that doesn't have a controlling ftp session.
#$tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn -d
$ANY_IP --dport $unassgn -m state --state RELATED,ESTABLISHED
-j ACCEPT
#$tbls -A dsl-in -i eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn
-d $eth1_addr --dport $unassgn -m state --state RELATED,ESTABLISHED
-j ACCEPT
#$tbls -A dsl-for -i eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn
-d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED
-j ACCEPT
$tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr -d $ANY_IP
-m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-in -i eth1 -p tcp ! --syn -s $ANY_IP -d $eth1_addr
-m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-for -i eth1 -p tcp ! --syn -s $ANY_IP -d $internal_net
-m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: passive mode ftp high ports driving me nuts
2010-01-09 2:59 ` MargoAndTodd
@ 2010-01-09 13:55 ` Mart Frauenlob
2010-01-09 14:04 ` Mart Frauenlob
0 siblings, 1 reply; 8+ messages in thread
From: Mart Frauenlob @ 2010-01-09 13:55 UTC (permalink / raw)
To: netfilter; +Cc: margoandtodd
On 09.01.2010 03:59, MargoAndTodd wrote:
> On 01/08/2010 02:24 AM, Mart Frauenlob wrote:
>
>>> It is the "--sport $unassgn --dport $unassgn" that is killing me.
>>> How do I restrict the last three to just passive mode ftp?
>>>
>>
>> use the 'helper' match extension. i.e: -m helper --helper ftp.
>> if you need to distinguish between active and passive, you still can use
>> the port and state matches for that.
>
> Hi Mart,
>
> Works perfectly. Thank you!
>
> -T
>
> p.s. my new rules:
>
> # ftp passive mode (browser) stuff. Note: ftp_conntrack module is
> required, e.g.:
> # /etc/sysconfig/iptables-config:
> # IPTABLES_MODULES="ip_conntrack_ftp"
> #
> $tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn
> --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
> $tbls -A dsl-in -i eth1 -p tcp ! --syn --sport ftp -d $eth1_addr
> --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
> $tbls -A dsl-for -i eth1 -p tcp ! --syn --sport ftp -d $internal_net
> --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
> # The "ftpdata" session is a "new" one when it sends the SYN. However,
> the ftp_conntrack module marks it as related to its controlling
> # ftp session, so that state=related matches. This should deny any
> "ftpdata" session that doesn't have a controlling ftp session.
> #$tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn -d
> $ANY_IP --dport $unassgn -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> #$tbls -A dsl-in -i eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn
> -d $eth1_addr --dport $unassgn -m state --state RELATED,ESTABLISHED
> -j ACCEPT
> #$tbls -A dsl-for -i eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn
> -d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED
> -j ACCEPT
> $tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr -d $ANY_IP -m
> helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
> $tbls -A dsl-in -i eth1 -p tcp ! --syn -s $ANY_IP -d $eth1_addr -m
> helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
> $tbls -A dsl-for -i eth1 -p tcp ! --syn -s $ANY_IP -d $internal_net
> -m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
>
if you use user-defined chains (which is good), take full advantage of
it, by not repeating so many values in your ruleset. i.e. dsl-in will
always have -i eth1 and -d $eth1_addr.
you don't need -d $ANY_IP, just leave it out, gives the same result.
you don't need --syn, if you rely on conntrack helper match.
let me suggest a more structured approach:
# assuming DROP policy for INPUT,OUTPUT,FORWARD...
for x in dsl-in dsl-out dsl-fwd allow_ftp invalid; do
$ipt -N $x
done
# sort out the illegal packets - could add more eventually...
$ipt -A invalid -p tcp ! --syn -m state --state NEW -j DROP
$ipt -A invalid -m state --state INVALID -j DROP
# global rules:
# allow established - speed up processing by placing rule on top
# then sort out bad ones
# allow related icmp
for x in INPUT OUTPUT FORWARD; do
$ipt -A $x -m state ESTABLISHED -j ACCEPT
$ipt -A $x -j invalid
$ipt -A $x -p icmp -m state --state RELATED -j ACCEPT
done
# allow the related ftp packets
for x in dsl-in dsl-out dsl-fwd; do
$ipt -A $x -m helper --helper ftp -j ACCEPT
done
# allow new outgoing ftp connections
$ipt -A dsl-out -p tcp --dport 21 -m state --state NEW -j ACCEPT
$ipt -A dsl-for -s $internal_net -p tcp --dport 21 -m state --state NEW
-j ACCEPT
# jump tree
$ipt -A INPUT -i eth1 -d $eth1_addr -j dsl-in
$ipt -A OUTPUT -o eth1 -s $eth1_addr -j dsl-out
$ipt -A FORWARD -i eth1 -d $internal_net -j dsl-for
$ipt -A FORWARD -o eth1 -s $internal_net -j dsl-for
as an untested example with some additional design considerations for
invalid packets and related icmp.
regards
Mart
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: passive mode ftp high ports driving me nuts
2010-01-09 13:55 ` Mart Frauenlob
@ 2010-01-09 14:04 ` Mart Frauenlob
2010-01-09 16:33 ` MargoAndTodd
0 siblings, 1 reply; 8+ messages in thread
From: Mart Frauenlob @ 2010-01-09 14:04 UTC (permalink / raw)
To: netfilter; +Cc: margoandtodd
On 09.01.2010 14:55, Mart Frauenlob wrote:
> On 09.01.2010 03:59, MargoAndTodd wrote:
>> On 01/08/2010 02:24 AM, Mart Frauenlob wrote:
>>
>>>> It is the "--sport $unassgn --dport $unassgn" that is killing me.
>>>> How do I restrict the last three to just passive mode ftp?
>>>>
>>>
>>> use the 'helper' match extension. i.e: -m helper --helper ftp.
>>> if you need to distinguish between active and passive, you still can use
>>> the port and state matches for that.
>>
>> Hi Mart,
>>
>> Works perfectly. Thank you!
>>
>> -T
>>
>> p.s. my new rules:
>>
[...]
>
> if you use user-defined chains (which is good), take full advantage of
> it, by not repeating so many values in your ruleset. i.e. dsl-in will
> always have -i eth1 and -d $eth1_addr.
> you don't need -d $ANY_IP, just leave it out, gives the same result.
> you don't need --syn, if you rely on conntrack helper match.
>
> let me suggest a more structured approach:
>
[...]
>
> as an untested example with some additional design considerations for
> invalid packets and related icmp.
>
sorry had the naming for dsl-for and dsl-fwd mixed up, again corrected:
# assuming DROP policy for INPUT,OUTPUT,FORWARD...
for x in dsl-in dsl-out dsl-for invalid; do
$ipt -N $x
done
# sort out the illegal packets - could add more eventually...
$ipt -A invalid -p tcp ! --syn -m state --state NEW -j DROP
$ipt -A invalid -m state --state INVALID -j DROP
# global rules:
# allow established - speed up processing by placing rule on top
# then sort out bad ones
# allow related icmp
for x in INPUT OUTPUT FORWARD; do
$ipt -A $x -m state ESTABLISHED -j ACCEPT
$ipt -A $x -j invalid
$ipt -A $x -p icmp -m state --state RELATED -j ACCEPT
done
# allow the related ftp packets
for x in dsl-in dsl-out dsl-for; do
$ipt -A $x -m helper --helper ftp -j ACCEPT
done
# allow new outgoing ftp connections
$ipt -A dsl-out -p tcp --dport 21 -m state --state NEW -j ACCEPT
$ipt -A dsl-for -s $internal_net -p tcp --dport 21 -m state --state NEW
-j ACCEPT
# jump tree
$ipt -A INPUT -i eth1 -d $eth1_addr -j dsl-in
$ipt -A OUTPUT -o eth1 -s $eth1_addr -j dsl-out
$ipt -A FORWARD -i eth1 -d $internal_net -j dsl-for
$ipt -A FORWARD -o eth1 -s $internal_net -j dsl-for
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: passive mode ftp high ports driving me nuts
2010-01-09 14:04 ` Mart Frauenlob
@ 2010-01-09 16:33 ` MargoAndTodd
0 siblings, 0 replies; 8+ messages in thread
From: MargoAndTodd @ 2010-01-09 16:33 UTC (permalink / raw)
To: netfilter
On 01/09/2010 06:04 AM, Mart Frauenlob wrote:
> On 09.01.2010 14:55, Mart Frauenlob wrote:
>> On 09.01.2010 03:59, MargoAndTodd wrote:
>>> On 01/08/2010 02:24 AM, Mart Frauenlob wrote:
>>>
>>>>> It is the "--sport $unassgn --dport $unassgn" that is killing me.
>>>>> How do I restrict the last three to just passive mode ftp?
>>>>>
>>>>
>>>> use the 'helper' match extension. i.e: -m helper --helper ftp.
>>>> if you need to distinguish between active and passive, you still can use
>>>> the port and state matches for that.
>>>
>>> Hi Mart,
>>>
>>> Works perfectly. Thank you!
>>>
>>> -T
>>>
>>> p.s. my new rules:
>>>
>
> [...]
>
>>
>> if you use user-defined chains (which is good), take full advantage of
>> it, by not repeating so many values in your ruleset. i.e. dsl-in will
>> always have -i eth1 and -d $eth1_addr.
>> you don't need -d $ANY_IP, just leave it out, gives the same result.
>> you don't need --syn, if you rely on conntrack helper match.
>>
>> let me suggest a more structured approach:
>>
>
> [...]
>
>>
>> as an untested example with some additional design considerations for
>> invalid packets and related icmp.
>>
>
> sorry had the naming for dsl-for and dsl-fwd mixed up, again corrected:
>
> # assuming DROP policy for INPUT,OUTPUT,FORWARD...
>
>
> for x in dsl-in dsl-out dsl-for invalid; do
> $ipt -N $x
> done
>
> # sort out the illegal packets - could add more eventually...
> $ipt -A invalid -p tcp ! --syn -m state --state NEW -j DROP
> $ipt -A invalid -m state --state INVALID -j DROP
>
> # global rules:
> # allow established - speed up processing by placing rule on top
> # then sort out bad ones
> # allow related icmp
> for x in INPUT OUTPUT FORWARD; do
> $ipt -A $x -m state ESTABLISHED -j ACCEPT
> $ipt -A $x -j invalid
> $ipt -A $x -p icmp -m state --state RELATED -j ACCEPT
> done
>
> # allow the related ftp packets
> for x in dsl-in dsl-out dsl-for; do
> $ipt -A $x -m helper --helper ftp -j ACCEPT
> done
>
> # allow new outgoing ftp connections
> $ipt -A dsl-out -p tcp --dport 21 -m state --state NEW -j ACCEPT
> $ipt -A dsl-for -s $internal_net -p tcp --dport 21 -m state --state NEW
> -j ACCEPT
>
> # jump tree
> $ipt -A INPUT -i eth1 -d $eth1_addr -j dsl-in
> $ipt -A OUTPUT -o eth1 -s $eth1_addr -j dsl-out
> $ipt -A FORWARD -i eth1 -d $internal_net -j dsl-for
> $ipt -A FORWARD -o eth1 -s $internal_net -j dsl-for
>
Thank you!
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-01-09 16:33 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-01-07 19:13 passive mode ftp high ports driving me nuts MargoAndTodd
2010-01-08 10:24 ` Mart Frauenlob
2010-01-08 16:09 ` MargoAndTodd
2010-01-08 16:40 ` Mart Frauenlob
2010-01-09 2:59 ` MargoAndTodd
2010-01-09 13:55 ` Mart Frauenlob
2010-01-09 14:04 ` Mart Frauenlob
2010-01-09 16:33 ` MargoAndTodd
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.