From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>
Subject: Re: helpers register for a specific port, but work anyway
Date: Wed, 27 Feb 2008 18:12:40 +0100 [thread overview]
Message-ID: <47C59A08.9080802@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0802271758460.5388@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> On Feb 27 2008 15:36, Jozsef Kadlecsik wrote:
>> On Wed, 27 Feb 2008, Jan Engelhardt wrote:
>>
>>> in nf_conntrack_ftp.c for example we find
>>>
>>> ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);
>>>
>>> assuming the user does not specify any ports on modprobe, the default
>>> port list defaults to {21}, so ftp[0][x].tuple.src will contain port 21.
>>> But even ftp connections to non-21 ports are inspected for PORT
>>> commands.
>> Why do you think so? Ports not specified as FTP command ports are not
>> parsed.
>
> Yes, I find it strange. On the router (192.168.222.1), I do:
>
> # iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121
> -j DNAT --to 134.76.12.5:21
>
> and on the client (192.168.222.24),:
>
> # conntrack -E expect &
> # ftp 134.76.12.5 2121
> Connected to ftp5.gwdg.de.
> 220 "Welcome to FTP5.GWDG.DE."
> Name (ftp5.gwdg.de:jengelh): ftp
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238
> 229 Entering Extended Passive Mode (|||32238|)
> 150 Here comes the directory listing.
> drwx------ 2 ftp ftp 16384 Apr 20 2006 lost+found
> drwxr-xr-x 33 ftp ftp 4096 Feb 27 00:58 pub
> 226 Directory send OK.
> ftp>
>
> The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp
> does not parse streams to port 2121 by default, how could it have
> set up the expectation?
When NATing packets the helper lookup is repeated based
on the final tuple.
> Case 2. On the router:
> # iptables -t nat -A PREROUTING -p tcp --dport 2121 -j REDIRECT --to-ports 21
> # rcvsftpd start
>
> On the client:
> # ftp 192.168.222.1 2121
> Connected to 192.168.222.1.
> 220 (vsFTPd 2.0.5)
> Name (192.168.222.1:jengelh): ftp
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 229 Entering Extended Passive Mode (|||7366|)
> 150 Here comes the directory listing.
> 226 Directory send OK.
>
> and this does not analyze ftp, just as I would have guessed from the C code.
It should. Are you sure you had the proper modules loaded?
next prev parent reply other threads:[~2008-02-27 17:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-27 14:32 helpers register for a specific port, but work anyway Jan Engelhardt
2008-02-27 14:36 ` Jozsef Kadlecsik
2008-02-27 17:08 ` Jan Engelhardt
2008-02-27 17:12 ` Patrick McHardy [this message]
2008-02-27 22:47 ` Jan Engelhardt
2008-02-28 7:18 ` Jozsef Kadlecsik
2008-02-28 9:13 ` Jan Engelhardt
2008-02-28 9:42 ` Jozsef Kadlecsik
2008-02-28 10:36 ` Jan Engelhardt
2008-02-28 10:46 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47C59A08.9080802@trash.net \
--to=kaber@trash.net \
--cc=jengelh@computergmbh.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.