* [LARTC] passive FTP trafic control
@ 2005-11-11 15:20 Ethy H. Brito
2005-11-11 20:38 ` DervishD
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Ethy H. Brito @ 2005-11-11 15:20 UTC (permalink / raw)
To: lartc
Hi All
How to classify packets belonging to a FTP session?
Port 21 session is easy. but what about data transfers? Their port numbers
(both) are above 1024.
I was thinking about ip_conntrack_ftp. Something like:
iptables -A FORWARD -p tcp --sport 1024: --dport 1024: \
-m state --state ESTABLISHED,RELATED -j CLASSIFY --set-class X:Y
But what if I also have ip_conntrack_irc, for instance. IRC packets will also
be directed to X:Y class since they are RELATED packets.
How to make shure that only FTP RELATED packets will be CLASSIFY'ed??
--
Ethy H. Brito /"\
InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil / \
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] passive FTP trafic control
2005-11-11 15:20 [LARTC] passive FTP trafic control Ethy H. Brito
@ 2005-11-11 20:38 ` DervishD
2005-11-11 21:20 ` Andreas Unterkircher
2005-11-17 21:46 ` Piotr Chytla
2 siblings, 0 replies; 4+ messages in thread
From: DervishD @ 2005-11-11 20:38 UTC (permalink / raw)
To: lartc
Hi Ethy :)
* Ethy H. Brito <ethy.brito@inexo.com.br> dixit:
> How to make shure that only FTP RELATED packets will be CLASSIFY'ed??
I can only suggest that you limit the source ports available to
passive FTP. In my FTP server this can be configured, but probably in
other servers you can do it too. Once you do this, it's quite easy to
setup a "tc filter" to mark packages (or iptables if you prefer).
Raúl Núñez de Arenas Coronado
--
Linux Registered User 88736 | http://www.dervishd.net
http://www.pleyades.net & http://www.gotesdelluna.net
It's my PC and I'll cry if I want to...
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] passive FTP trafic control
2005-11-11 15:20 [LARTC] passive FTP trafic control Ethy H. Brito
2005-11-11 20:38 ` DervishD
@ 2005-11-11 21:20 ` Andreas Unterkircher
2005-11-17 21:46 ` Piotr Chytla
2 siblings, 0 replies; 4+ messages in thread
From: Andreas Unterkircher @ 2005-11-11 21:20 UTC (permalink / raw)
To: lartc
You could try to match on helper within iptables. Should be something like
iptables -A FORWARD --match conntrack --ctproto tcp --ctstate
RELATED,ESTABLISHED --match helper --helper ftp -j CLASSIFY ....
Perhaps this will match your data channel.
Cheers,
Andreas
DervishD wrote:
> Hi Ethy :)
>
> * Ethy H. Brito <ethy.brito@inexo.com.br> dixit:
>
>
>>How to make shure that only FTP RELATED packets will be CLASSIFY'ed??
>>
>>
>
> I can only suggest that you limit the source ports available to
>passive FTP. In my FTP server this can be configured, but probably in
>other servers you can do it too. Once you do this, it's quite easy to
>setup a "tc filter" to mark packages (or iptables if you prefer).
>
> Raúl Núñez de Arenas Coronado
>
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] passive FTP trafic control
2005-11-11 15:20 [LARTC] passive FTP trafic control Ethy H. Brito
2005-11-11 20:38 ` DervishD
2005-11-11 21:20 ` Andreas Unterkircher
@ 2005-11-17 21:46 ` Piotr Chytla
2 siblings, 0 replies; 4+ messages in thread
From: Piotr Chytla @ 2005-11-17 21:46 UTC (permalink / raw)
To: lartc
On Fri, Nov 11, 2005 at 10:20:52PM +0100, Andreas Unterkircher wrote:
> You could try to match on helper within iptables. Should be something like
>
> iptables -A FORWARD --match conntrack --ctproto tcp --ctstate
> RELATED,ESTABLISHED --match helper --helper ftp -j CLASSIFY ....
>
> Perhaps this will match your data channel.
>
Something about 6 month ago I wrote iptables rules for DNATing incoming
connection to ftp server behind nat ,
${ipt} -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 --dport 8181 -j DNAT
+--to-destination ${ftp_int}
${ipt} -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 -m helper --helper ftp-8181 -j DNAT --to-destination ${ftp_int}
${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} --dport 8181 -m state --state NEW -j ACCEPT
${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} -m helper --helper ftp-8181 -m state --state NEW,RELATED -j ACCEPT
8181 - ftp port
src - source address
fw_ip - firewall ip (external)
ftp_int - ftp server internal ip.
Everything was great but firewall sometimes hangs without kernel panic ,
maybe some deadlock in ftp conntrack code or in ftp helper. Kernel was
2.4.20 or 22 .
/pch
--
Dyslexia bug unpatched since 1977 ...
exploit has been leaked to the underground.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-11-17 21:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-11 15:20 [LARTC] passive FTP trafic control Ethy H. Brito
2005-11-11 20:38 ` DervishD
2005-11-11 21:20 ` Andreas Unterkircher
2005-11-17 21:46 ` Piotr Chytla
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.