All of lore.kernel.org
 help / color / mirror / Atom feed
* Allow connection on specific port only when other port is used
@ 2017-03-27  6:57 Sam Basan
  2017-03-27 17:58 ` Robert White
  0 siblings, 1 reply; 2+ messages in thread
From: Sam Basan @ 2017-03-27  6:57 UTC (permalink / raw)
  To: netfilter

Hello,

I couldn't find this issue on the web.
I want to allow new connection on specific port (let's say FTP) only when
there is active session in HTTP.
It's like port knocking only I don't want to "knock" HTTP port but make sure
it's active session and only then open the FTP port to this specific IP
address.

Any info on how this can be achieved will be highly appreciated.


Thanks in advance
Sam


---
הודעת דוא"ל זו נבדקה לאיתור וירוסים על ידי תוכנת האנטי-וירוס של avast.

https://www.avast.com/antivirus


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Allow connection on specific port only when other port is used
  2017-03-27  6:57 Allow connection on specific port only when other port is used Sam Basan
@ 2017-03-27 17:58 ` Robert White
  0 siblings, 0 replies; 2+ messages in thread
From: Robert White @ 2017-03-27 17:58 UTC (permalink / raw)
  To: sbasan, netfilter

On 03/27/17 06:57, Sam Basan wrote:
> I couldn't find this issue on the web.
> I want to allow new connection on specific port (let's say FTP) only when
> there is active session in HTTP.
> It's like port knocking only I don't want to "knock" HTTP port but make sure
> it's active session and only then open the FTP port to this specific IP
> address.

DISCLAIMER: this response is extemporaneous. I haven't tested it, just
thought it out a little. YMMV.


You can do this pretty easily in nftables with a self-updating set.

table ip example {
	set allowable {
		type ipv4_addr
		flags timeout
	}

	chain trigger {
		tcp dport http set add ip saddr timeout 2m @allowable
	}

	chain gatekeeper {
		tcp dport ftp ip saddr @allowable accept
	}
}

This solution is self cleaning since the set membership has a fixed
duration.


In ipbables you could use the "--match recent" with a --set rule in one
place (the http path) and an --update --seconds nnn --reap in the other
(the ftp path). In this case the set will tend to grow without bounds
since it is only cleaned by FTP failures.

In all cases you have to use a timeout window instead of an "active
connection" as the HTTP socket will almost surely be closed by the time
the FTP action is invoked.

Understand that you are putting policy into these rules in a way that is
not bullet proof since even a trivial open of the http socket, such as
via an nmap scan, will effectively knock the FTP port open. It would be
"better" to do something system strong at the application layer.

--Rob.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-03-27 17:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-27  6:57 Allow connection on specific port only when other port is used Sam Basan
2017-03-27 17:58 ` Robert White

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.