ftp connection tracking and frox proxy

ftp connection tracking and frox proxy

[Dieter Braun]

[-- Attachment #1: Type: text/plain, Size: 3288 bytes --]

Hi,

I just set up a transparent ftp proxy using frox 0.7.6. Works pretty
well, only state matching (iptables 1.2.5-58) for the connections
between the client and frox doesn't work as I would have expected. Here
are the rules that are necessary:

----------------------------------------------------------------------------

# Redirection to frox port
$PROG -t nat -A PREROUTING -p tcp -i br0 -s $INTRANET --sport 1024: -d !
$INTRANET --dport 21 -j REDIRECT --to-ports 2121

# ftp request client to frox
$PROG -A INPUT -p tcp -i br0 -s $INTRANET --sport 1024: -d $INT --dport
2121 -m state --state NEW,ESTABLISHED -j ACCEPT
$PROG -A OUTPUT -p tcp -s $INT --sport 2121 -o br0 -d $INTRANET --dport
1024: ! --syn -m state --state ESTABLISHED -j ACCEPT
                                # as expected

# data channel frox to client, passive ftp
$PROG -A INPUT -p tcp -i br0 -s $INTRANET --sport 1024: -d $INT --dport
1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$PROG -A OUTPUT -p tcp -s $INT --sport 1024: -o br0 -d $INTRANET --dport
1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
                                # would expect to need only
ESTABLISHED,RELATED in the first line
                                # would expect to need only ESTABLISHED
in the second line
                                # (didn't try NEW,ESTABLISHED without
RELATED yet)

# data channel frox to client, active ftp
$PROG -A OUTPUT -p tcp -s $INT --sport 20 -o br0 -d $INTRANET --dport
1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$PROG -A INPUT -p tcp -i br0 -s $INTRANET --sport 1024: -d $INT --dport
20 ! --syn -m state --state ESTABLISHED -j ACCEPT
                                # would expect to need only
ESTABLISHED,RELATED in the first line

# ftp request frox to internet
$PROG -A OUTPUT -p tcp -s $EXT --sport 1024: -o eth2 -d 0/0 --dport 21
-m state --state NEW,ESTABLISHED -j ACCEPT
$PROG -A INPUT -p tcp -i eth2 -s 0/0 --sport 21 -d $EXT --dport 1024: !
--syn -m state --state ESTABLISHED -j ACCEPT

# data channel internet to frox, passive ftp
$PROG -A OUTPUT -p tcp -s $EXT --sport 1024: -o eth2 -d 0/0 --dport
1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$PROG -A INPUT -p tcp -i eth2 -s 0/0 --sport 1024: -d $EXT --dport 1024:
! --syn -m state --state ESTABLISHED -j ACCEPT

## data channel internet to frox, active ftp
#$PROG -A INPUT -p tcp -i eth2 -s 0/0 --sport 20 -d $EXT --dport 1024:
-m state --state ESTABLISHED,RELATED -j ACCEPT
#$PROG -A OUTPUT -p tcp -s $EXT --sport 1024: -o eth2 -d 0/0 --dport 20
! --syn -m state --state ESTABLISHED -j ACCEPT
----------------------------------------------------------------------------

(You might wonder about the device br0: frox works with bridging! .-)))

The state matching rules for the "external" connections to the internet
work as expected. But for the "internal" data connections between frox
and the clients, frox always needs to build a NEW data connection
instead of a RELATED one. Since this is only for the internal
connections, not for the external ones, I have the feeling that this
might be due to frox. (Didn't find any frox mailing list; does anybody
know one?) Or is there any problem with ip_conntrack_ftp for a ftp
server? Perhaps somebody has any better clue.

Greetings,
Dieter


[-- Attachment #2: Type: text/html, Size: 4597 bytes --]