Re: [LARTC] passive FTP trafic control

[Piotr Chytla <pch@packetconsulting.pl>]

On Fri, Nov 11, 2005 at 10:20:52PM +0100, Andreas Unterkircher wrote:
> You could try to match on helper within iptables. Should be something like
> 
> iptables -A FORWARD --match conntrack --ctproto tcp --ctstate 
> RELATED,ESTABLISHED --match helper --helper ftp -j CLASSIFY ....
> 
> Perhaps this will match your data channel.
> 
Something about 6 month ago I wrote iptables rules for DNATing incoming                      
connection to ftp server behind nat ,                                                        
                                                                                             
${ipt} -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 --dport 8181 -j DNAT     
+--to-destination ${ftp_int}                                                                 
${ipt}  -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 -m helper --helper ftp-8181  -j DNAT --to-destination ${ftp_int}                                               
                                                                                             
${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} --dport 8181 -m state --state NEW -j ACCEPT                                                                                      
${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} -m helper --helper ftp-8181 -m state --state NEW,RELATED -j ACCEPT                                                               
                                                                                             
8181 - ftp port                                                                              
src - source address                                                                         
fw_ip - firewall ip (external)                                                               
ftp_int - ftp server internal ip.                                                            
                                                                                             
Everything was great but firewall sometimes hangs without kernel panic ,                     
maybe some deadlock in ftp conntrack code or in ftp helper. Kernel was
2.4.20 or 22 .        
                                                                                             
/pch           

-- 
Dyslexia bug unpatched since 1977 ...
exploit has been leaked to the underground.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc