ip nat ftp possible client port clash

ip nat ftp possible client port clash

[Pedrito]

Hi everybody, I think there may be a port clash problem with the ip nat 
ftp conntrack code, I will try to explain it with a very simple scenario:

- Two PCs with IPs 192.168.1.1 and 192.168.1.2
- Both PCs go to internet through a linux router box with external IP 
80.1.1.1, internal IP 192.168.1.3.
- There is an external ftp server with IP 81.1.1.1

Imagine the client with IP 192.168.1.1 which is below the linux router 
box is happily downloading a file from the ftp 81.1.1.1 using local port 
1025, which is natted to port 1025 because the ftp nat core tries to 
preserve the local port. So there is a connection stablished like that:
 Original  81.1.1.1:20 -> 80.1.1.1:1025  Replay 
192.168.1.1:1025->81.1.1.1:20

 Then the other client with IP 192.168.1.2 wants to stablish a data 
connection with the same server, and unfortunately the operating system 
of this PC also chooses port 1025 to stablish the connection. The ftp 
nat conntrack code will try to preserve the local port and will also 
choose port 1025 for this connection. Then the answer for the connection 
tcp syn packet for the server will be 81.1.1.20->80.1.1.1:1025 and this 
packet matches the previously created client 1 connection, so the syn 
packet will be forwarded to PC1, not to PC2!!

This is the code that chooses the ftp external port:

    /* Try to get same port: if not, try to change it. */
    for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) {
        exp->tuple.dst.u.tcp.port = htons(port);
        if (ip_conntrack_expect_related(exp) == 0)
            break;
    }
Note that PC1 client connection is not expected, PC1 is already 
downloading the file from the server so ip_conntrack_expect_related will 
not find the connection in the expected list...

I am sure I am missing something in the conntrack ftp code that prevents 
that from happening, but I cannot find it, any help?

Best Regards, Pedro. (sorry for my poor english, I am spanish...)

		
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es

Re: ip nat ftp possible client port clash

[Yasuyuki KOZAKAI]

Hi,

From: Pedrito <petermartx@yahoo.es>
Date: Mon, 26 Dec 2005 16:28:25 +0100

> Hi everybody, I think there may be a port clash problem with the ip nat 
> ftp conntrack code, I will try to explain it with a very simple scenario:
> 
> - Two PCs with IPs 192.168.1.1 and 192.168.1.2
> - Both PCs go to internet through a linux router box with external IP 
> 80.1.1.1, internal IP 192.168.1.3.
> - There is an external ftp server with IP 81.1.1.1
> 
> Imagine the client with IP 192.168.1.1 which is below the linux router 
> box is happily downloading a file from the ftp 81.1.1.1 using local port 
> 1025, which is natted to port 1025 because the ftp nat core tries to 
> preserve the local port. So there is a connection stablished like that:
>  Original  81.1.1.1:20 -> 80.1.1.1:1025  Replay 
> 192.168.1.1:1025->81.1.1.1:20

So the client used PORT command, right ?

>  Then the other client with IP 192.168.1.2 wants to stablish a data 
> connection with the same server, and unfortunately the operating system 
> of this PC also chooses port 1025 to stablish the connection. The ftp 
> nat conntrack code will try to preserve the local port and will also 
> choose port 1025 for this connection. Then the answer for the connection 
> tcp syn packet for the server will be 81.1.1.20->80.1.1.1:1025 and this 
> packet matches the previously created client 1 connection, so the syn 
> packet will be forwarded to PC1, not to PC2!!

Trying to open the in-use TCP session sounds strange to me.
I think that ftp server will use different source port for 2nd ftp data
connection. Then router will process the 2nd data connection as new
connection, and can forward it to PC2.

Regards,

-- Yasuyuki Kozakai