[LARTC] matching ftp - how?

[LARTC] matching ftp - how?

[Abraham van der Merwe]

[-- Attachment #1: Type: text/plain, Size: 1718 bytes --]

Hi!

If I have the ftp connection tracking module compiled in, how do I match ftp
packets (I know ftp connections are tracked, but I want to match it to count
the traffic / shape it, etc)

You can obviously match active and passive ftp traffic as follows:

iptables -A FORWARD -s $net -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -d $net -p tcp --sport 21 -m state --state ESTABLISHED,RELATED

and for active ftp:

iptables -A FORWARD -s $net -p tcp --dport 20 -m state --state ESTABLISHED
iptables -A FORWARD -d $net -p tcp --sport 20 -m state --state ESTABLISHED,RELATED

and for passive ftp:

iptables -A FORWARD -s $net -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -d $net -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED

where $net is the network which is making the connection.

The problem is that the passive ftp rules will also match traffic from other
protocols which uses ports higher than 1024. Is there no way I can match
traffic which is matched by a certain connection tracking module (and only
that module), e.g.

iptables -A FORWARD -s $net -m conntrack --proto ftp
iptables -A FORWARD -s $net -m conntrack --proto irc
iptables -A FORWARD -s $net -m conntrack --proto h323

etc.

-- 

Regards
 Abraham

I'm having BEAUTIFUL THOUGHTS about the INSIPID WIVES of smug and
wealthy CORPORATE LAWYERS ...

___________________________________________________
 Abraham vd Merwe - Frogfoot Networks CC
 9 Kinnaird Court, 33 Main Street, Newlands, 7700
 Phone: +27 21 686 1674 Cell: +27 82 565 4451
 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [LARTC] matching ftp - how?

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 472 bytes --]

On Wed, 2003-03-12 at 15:18, Abraham van der Merwe wrote:
> iptables -A FORWARD -s $net -m conntrack --proto ftp
> iptables -A FORWARD -s $net -m conntrack --proto irc
> iptables -A FORWARD -s $net -m conntrack --proto h323

To do so you can use the conmarck module (from iptable pom) : the mark
of the packet is given following the conntrack. It's a bit tricky to use
(you have to restore mark) but it do the job.

-- 
Eric Leblond <eric@regit.org>
Regit.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [LARTC] matching ftp - how?

[Ethy H. Brito]

On 12 Mar 2003, Eric Leblond wrote:

> On Wed, 2003-03-12 at 15:18, Abraham van der Merwe wrote:
> > iptables -A FORWARD -s $net -m conntrack --proto ftp
> > iptables -A FORWARD -s $net -m conntrack --proto irc
> > iptables -A FORWARD -s $net -m conntrack --proto h323
> 
> To do so you can use the conmarck module (from iptable pom) : the mark
> of the packet is given following the conntrack. It's a bit tricky to use
> (you have to restore mark) but it do the job.

This also interests me. Is there any HOWTO or URL to enlight this?

Ethy H. Brito         /"\
InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
(012) 3941-6860        X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
Sao Jose dos Campos   / \

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] matching ftp - how?

[Abraham van der Merwe]

[-- Attachment #1: Type: text/plain, Size: 1189 bytes --]

Hi Eric!

> > iptables -A FORWARD -s $net -m conntrack --proto ftp
> > iptables -A FORWARD -s $net -m conntrack --proto irc
> > iptables -A FORWARD -s $net -m conntrack --proto h323
> 
> To do so you can use the conmarck module (from iptable pom) : the mark
> of the packet is given following the conntrack. It's a bit tricky to use
> (you have to restore mark) but it do the job.

I take it you are talking about the connmark match. I don't see how you can
use that to track of the connection. All you can do is match/change packets
with a certain mark value. But how do you know what mark value is assigned
to packets matched by a specific connection tracking module. For example,
let's say I wanted to match h323 packets. How would I know what MARK value
to use?

-- 

Regards
 Abraham

Children are like cats, they can tell when you don't like them.  That's
when they come over and violate your body space.

___________________________________________________
 Abraham vd Merwe - Frogfoot Networks CC
 9 Kinnaird Court, 33 Main Street, Newlands, 7700
 Phone: +27 21 686 1674 Cell: +27 82 565 4451
 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [LARTC] matching ftp - how?

[Eric Leblond]

Le mer 12/03/2003 à 22:25, Abraham van der Merwe a écrit :
>  For example,
> let's say I wanted to match h323 packets. How would I know what MARK value
> to use?
Because we let the conntrack do the job for us. it set the mark almost
by itself using information given by the module.

I wrote a very little howto :
http://home.regit.org/connmark.html

BR,
-- 
Eric Leblond <eric@regit.org>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] matching ftp - how?

[Eric Leblond]

Le sam 15/03/2003 à 21:18, Manuel Samper a écrit :
> Eric Leblond, on Wednesday, Mar 12 2003 at 16:03, wrote:

> so, why is needed the "--restore-mark/--save-mark"?. I guess that the tc
> filters (e.g. fwmark) can only see/manage the packets marked by the mark
> module a not by connmark, it's correct?

yes, it is a different mark. Thus you need to restore it to have a
standard fwmark. (by the way it's in the mini-howto)

> Is there any better documentation/examples?

I don't think for the moment. I did no find anything about this patch
and I had to experiment to find how it works.

-- 
Eric Leblond <eric@regit.org>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] matching ftp - how?

[Ethy H. Brito]

On 15 Mar 2003 22:12:31 +0100
Eric Leblond <eric@regit.org> wrote:

> Le sam 15/03/2003 à 21:18, Manuel Samper a écrit :
> > Eric Leblond, on Wednesday, Mar 12 2003 at 16:03, wrote:
> 
> > so, why is needed the "--restore-mark/--save-mark"?. I guess that
> > the tc filters (e.g. fwmark) can only see/manage the packets marked
> > by the mark module a not by connmark, it's correct?

This restoring shouldn't it be done at PREROUTING chain instead of
POSTROUTING as pointed in you mini HOWTO or it makes no difference?

-- 

Ethy H. Brito         /"\
InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil   / \ 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] matching ftp - how?

[Manuel Samper]

Ethy H. Brito, on Monday, Mar 17 2003 at 21:17, wrote:
> On 15 Mar 2003 22:12:31 +0100
> Eric Leblond <eric@regit.org> wrote:
> 
> > Le sam 15/03/2003 à 21:18, Manuel Samper a écrit :
> > > Eric Leblond, on Wednesday, Mar 12 2003 at 16:03, wrote:
> > 
> > > so, why is needed the "--restore-mark/--save-mark"?. I guess that
> > > the tc filters (e.g. fwmark) can only see/manage the packets marked
> > > by the mark module a not by connmark, it's correct?
> 
> This restoring shouldn't it be done at PREROUTING chain instead of
> POSTROUTING as pointed in you mini HOWTO or it makes no difference?

I'am wondering the same, and still need to do some testing (but I have
some version problem between iptables-tools/kernel that prevents me from
using CONNMARK).
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] matching ftp - how?

[Eric Leblond]

Le lun 17/03/2003 à 21:30, Manuel Samper a écrit :
> Ethy H. Brito, on Monday, Mar 17 2003 at 21:17, wrote:
> > This restoring shouldn't it be done at PREROUTING chain instead of
> > POSTROUTING as pointed in you mini HOWTO or it makes no difference?

All depends if you use an ingress policy. If your doing only egress then
restore only in POSTROUTING is not a problem. But if your doing ingress
you can take advantage of the restoring the mark in PREROUTING.

Thanks to have point this ,I add this to the mini-howto.

-- 
Eric Leblond <eric@regit.org>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] matching ftp - how?

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 946 bytes --]

On Thu, 2003-03-13 at 08:50, Eric Leblond wrote:
> Le mer 12/03/2003 à 22:25, Abraham van der Merwe a écrit :

> I wrote a very little howto :
> http://home.regit.org/connmark.html

I just rewrite the mini-howto because I found a best way to do the
thing.
The code is now the following :

iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
iptables -A POSTROUTING -m mark --mark 0 -p tcp --dport 21 -t mangle -j MARK --set-mark 1
iptables -A POSTROUTING -m mark --mark 0 -p tcp --dport 80 -t mangle -j MARK --set-mark 2
iptables -A POSTROUTING -m mark --mark 0 -t mangle -p tcp -j MARK --set-mark 3
iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark

It use save-mark to convert fwmark into connmark, so all the packet of
the connection get the correspondant mark.

More explanation on the site.

-- 
Eric Leblond <eric@regit.org>
Regit.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]