From: Filippo Zeus <filippozeus@gmail.com>
To: netfilter@vger.kernel.org
Subject: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood
Date: Mon, 26 May 2008 20:51:13 +0200 [thread overview]
Message-ID: <483B06A1.6030907@gmail.com> (raw)
In-Reply-To: <483B04A8.9000405@gmail.com>
Hi,
i think the ftp_contrack module has a bug.
I'm setting up proftpd 1.3.1 with TLS for encrypting auth+data only
traffic to let ftp_conntrack module understand the port command when a
client connects to the server using a PASV mode.
Look at link below and search for question
Using mod_tls, FTP sessions through my firewall now no longer work.
What's going on?
ftp_conntrack module probably do no understand the port command so it do
not open the port.
Tryed to define a limited passive ports in proftpd.conf and setted up
iptables to ACCEPT any conection in this range fixed the problem. But
pratically i've bypassed the ftp_conntrack module.
Here are system infos and main configuration parts.
Debian Lenny
uname -a
Linux debian 2.6.24-1-amd64 #1 SMP Thu Mar 27 16:52:38 UTC 2008 x86_64
GNU/Linux
__________
iptables -V
iptables v1.4.0
________
proftpd -V
Compile-time Settings:
Version: 1.3.1
Platform: LINUX
Built With:
configure --prefix=/usr
--with-includes=/usr/include/postgresql:/usr/include/mysql
--mandir=/usr/share/man --sysconfdir=/etc/proftpd
--localstatedir=/var/run --libexecdir=/usr/lib/proftpd --enable-sendfile
--enable-facl --enable-dso --enable-autoshadow --enable-ctrls
--with-modules=mod_readme --enable-ipv6 --build x86_64-linux-gnu
--with-shared=mod_site_misc:mod_load:mod_ban:mod_quotatab:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab_sql:mod_ldap:mod_quotatab_ldap:mod_ratio:mod_tls:mod_rewrite:mod_radius:mod_wrap:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_quotatab_file:mod_quotatab_radius:mod_facl:mod_ctrls_admin:mod_ifsession
CFLAGS: -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DHAVE_OPENSSL
-DUSE_LDAP_TLS -Wall -Wno-long-double
LDFLAGS: -L$(top_srcdir)/lib
LIBS: -lsupp -lcrypt
Files:
Configuration File:
/etc/proftpd/proftpd.conf
Pid File:
/var/run/proftpd.pid
Scoreboard File:
/var/run/proftpd/proftpd.scoreboard
Shared Module Directory:
/usr/lib/proftpd
Features:
+ Autoshadow support
+ Controls support
+ curses support
- Developer support
+ DSO support
+ IPv6 support
+ Largefile support
- Lastlog support
+ ncurses support
- NLS support
+ OpenSSL support
+ POSIX ACL support
+ Shadow file support
+ Sendfile support
+ Trace support
Tunable Options:
PR_TUNABLE_BUFFER_SIZE = 1024
PR_TUNABLE_GLOBBING_MAX = 8
PR_TUNABLE_HASH_TABLE_SIZE = 40
PR_TUNABLE_NEW_POOL_SIZE = 512
PR_TUNABLE_RCVBUFSZ = 8192
PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
PR_TUNABLE_SELECT_TIMEOUT = 30
PR_TUNABLE_SNDBUFSZ = 8192
PR_TUNABLE_TIMEOUTIDENT = 10
PR_TUNABLE_TIMEOUTIDLE = 600
PR_TUNABLE_TIMEOUTLINGER = 180
PR_TUNABLE_TIMEOUTLOGIN = 300
PR_TUNABLE_TIMEOUTNOXFER = 300
PR_TUNABLE_TIMEOUTSTALLED = 3600
PR_TUNABLE_XFER_BUFFER_SIZE = 1024
PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10
___________
*** CONFIGURATIONS ****
cat /etc/proftpd/proftpd.conf
# Includes DSO modules
Include /etc/proftpd/modules.conf
UseIPv6 off
ServerName "ftp.foo.barl"
ServerType standalone
ServerAdmin support@foo.bar
UseReverseDNS off
DeferWelcome off
MultilineRFC2228 on
DefaultServer off
DefaultAddress 127.0.0.1
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin "README"
#DisplayFirstChdir .message
ListOptions "-l"
DenyFilter \*.*/
Port 21
MaxInstances 50
User proftpd
Group nogroup
Umask 000
AllowOverwrite on
UseSendFile off
TransferLog /var/log/proftpd/main.log
SystemLog /var/log/proftpd/system.log
LogFormat default "%t USER: SEND %r "
LogFormat extended "%t USER: %u (from IP %a ) send CMD: %r
REPLY: %s (Transfer %b bytes in %T sec.)"
SocketBindTight off
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSOptions NoCertRequest
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient off
</IfModule>
<IfModule mod_quota.c>
QuotaEngine on
</IfModule>
<IfModule mod_ratio.c>
Ratios on
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>
<Global>
PassivePorts 32768 32778
MaxLoginAttempts 2
ServerIdent on " "
ExtendedLog /var/log/proftpd/Activity.log
AUTH default
ExtendedLog /var/log/proftpd/Activity.log
WRITE,READ extended
DefaultRoot ~
AllowRetrieveRestart on
MaxClients 30 "SERVER_BUSY: Please
retry. NOTE: The Accident will be reported to System Administrator"
MaxClientsPerHost 5 "ERROR: You can't open
more than five (5) session form the same host. Close an FTP session or
retry later."
AllowStoreRestart on
DeleteAbortedStores off
LoginPasswordPrompt off
AccessDenyMsg "ERROR: Incorrect Login! Please
Retry. NOTE: The Accident will be reported to System Admnistrator"
AccessGrantMsg "Welcome to lifesaver FTP
service, DO NOT FORGET TO SWITCH to TLS/SSL FTP ! ... and please keep in
mind all your actions here will be logged! "
DefaultTransferMode binary
IdentLookups off
HiddenStores off
ShowSymlinks off
DirFakeGroup on ftp
DirFakeUser on ftp
AllowOverwrite on
WtmpLog on
RootLogin off
AuthAliasOnly off
PathDenyFilter "\\.(ftpaccess|htaccess)$"
ListOptions "-l"
DisplayConnect "Welcome to xxxxxx. Please Login
... "
DisplayGoAway "Welcome to xxxxxx ... Sorry, too
many user are logged in ... Please retry later"
AuthOrder mod_auth_file.c
RequireValidShell no
AuthUserFile /etc/proftpd/passwd
<Limit SITE_CHMOD>
DenyAll
</Limit>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
</Global>
<VirtualHost xx.xxx.x.x>
ServerName "ftp.lifesaver.it"
ServerIdent on "FTP Server
ready. Please use FTP-TLS or login will be rejected. "
TransferLog /var/log/proftpd/ftp-lifesaver-it.log
<Limit LOGIN>
AllowUser ftp_temp
Deny All
</Limit>
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSOptions NoCertRequest
TLSRSACertificateFile
/etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile
/etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient off
TLSRequired auth+data
</IfModule>
TransferRate RETR 213.0:1024
TransferRate APPE 213.0:1024
TransferRate STOR 2048.0:1024
TransferRate STOU 2048.0:1024
</VirtualHost>
____________
cat /etc/init.d/firewall
# Loading ipfilter connection tracking modules
echo -n "Loading conntrack modules ... "
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_ftp
# Loading ipfilter rules
echo -n "Loading ipfilter rules ... "
# Setting Chains State
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Drop Ping-Flood
iptables -A INPUT -p icmp --icmp-type echo-request -m
limit --limit 1/s --limit-burst 5 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m
limit --limit 1/s --limit-burst 5 -j LOG --log-prefix PING_FLOOD-DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Allow loopback traffic (lo)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A OUTPUT -o $NIC0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $NIC0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Allow new outgoing tcp, udp, icmp connections
iptables -A OUTPUT -p tcp -o $NIC0 -m state --state NEW
-j ACCEPT
iptables -A OUTPUT -p tcp -o $NIC1 -m state --state NEW
-j ACCEPT
iptables -A OUTPUT -p tcp -o $NIC2 -m state --state NEW
-j ACCEPT
iptables -A OUTPUT -p udp -o $NIC0 -m state --state NEW
-j ACCEPT
iptables -A OUTPUT -p udp -o $NIC1 -m state --state NEW
-j ACCEPT
iptables -A OUTPUT -p udp -o $NIC2 -m state --state NEW
-j ACCEPT
iptables -A OUTPUT -p icmp -o $NIC0 -m state --state NEW
-j ACCEPT
iptables -A OUTPUT -p icmp -o $NIC1 -m state --state NEW
-j ACCEPT
iptables -A OUTPUT -p icmp -o $NIC2 -m state --state NEW
-j ACCEPT
# Drop fragments and invalid packets
iptables -A INPUT -f -m limit --limit 1/s --limit-burst 1
-j LOG --log-prefix INPUT_FRAG-DROP:
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -m limit
--limit 1/s --limit-burst 1 -j LOG --log-prefix INPUT_INVALID-DROP:
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -f -m limit --limit 1/s --limit-burst
1 -j LOG --log-prefix OUTPUT_FRAG-DROP:
iptables -A OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j LOG
--log-prefix OUTPUT_INVALID-DROP:
iptables -A OUTPUT -m state --state INVALID -j DROP
# Allow FTP from LAN
iptables -A INPUT -p tcp --syn -i $NIC0 -s $LANPOOL -d
$LAN --dport 21 -m state --state NEW -j ACCEPT
# Allow FTP from WAN2
iptables -A INPUT -p tcp --syn -i $NIC2 -d $WAN2 --dport
21 -m state --state NEW -j ACCEPT
##
# FTPES Workaround
##
iptables -A INPUT -p tcp --syn -i $NIC2 -d $WAN2 --dport 32768:32778 -j
ACCEPT
# Allow SSH from LAN
...
----- CUTTED HERE -----
next parent reply other threads:[~2008-05-26 18:51 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <483B04A8.9000405@gmail.com>
2008-05-26 18:51 ` Filippo Zeus [this message]
2008-05-26 19:07 ` iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood whiplash
2008-05-26 19:28 ` Jan Engelhardt
2008-05-26 19:24 Filippo Zeus
2008-05-26 19:39 ` whiplash
2008-05-26 20:00 ` Filippo Zeus
2008-05-26 20:41 ` Patrick McHardy
2008-05-27 1:14 ` Filippo Zeus
2008-05-27 7:39 ` Patrick McHardy
2008-05-27 7:46 ` Jan Engelhardt
2008-05-27 7:49 ` whiplash
2008-05-26 22:05 ` Jan Engelhardt
2008-05-26 22:32 ` Jan Engelhardt
2008-05-26 22:32 ` whiplash
2008-05-27 1:30 ` Filippo Zeus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=483B06A1.6030907@gmail.com \
--to=filippozeus@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.