From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Subject: Re: ftp conntrack - nat problem
Date: Wed, 9 Nov 2005 09:18:03 -0600 [thread overview]
Message-ID: <200511090918.03493.rob0@gmx.co.uk> (raw)
In-Reply-To: <fc38b710511090331r6c6943faw875965864a056f21@mail.gmail.com>
On Wednesday 2005-November-09 05:31, Dave Strydom wrote:
> -A PREROUTING -d 209.212.xxx.xxx -p tcp -m tcp --dport 20 -j DNAT
> --to-destination 192.168.0.220:20
> -A PREROUTING -d 209.212.xxx.xxx -p tcp -m tcp --dport 21 -j DNAT
> --to-destination 192.168.0.220:21
If you're running an FTP server behind NAT, you would only DNAT 21.
Ftp-data (tcp/20) is used for outgoing connections to the client. I
doubt this is your problem, though. Nothing will match that rule unless
you're connecting an FTP client on the firewall to a remote site.
> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
In general if you have a static IP (as in "not changing ever", not "you
pay the ISP more and get custom rDNS") the SNAT target is better.
> *filter
>
> :INPUT ACCEPT [2:246]
> :FORWARD ACCEPT [6:1109]
ACCEPT policies can be fine, but you generally should have rules to
REJECT or DROP the traffic you don't want.
> :OUTPUT ACCEPT [44:16200]
> :bad_tcp_packets - [0:0]
> :icmp_packets - [0:0]
> :rbl_packets - [0:0]
> :tcp_allowed - [0:0]
> :tcp_filtered_packets - [0:0]
> :tcp_packets - [0:0]
> :udp_packets - [0:0]
>
> -A INPUT -s 127.0.0.1 -j ACCEPT
First rule? Maybe "-i lo", but not "-s 127.0.0.1". An attacker could
route packets to you which claim to have a source address of 127.0.0.1,
and you're accepting them.
It's a minor weakness, but perhaps it can help you understand the
difference between specifying an input interface ("lo" is always
secure, at least insofar as you trust your own users) or a source IP
address. Packet headers can be spoofed! But outsiders can only come in
on your external interface.
> -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
Same issue here. Packets claiming to be from your LAN are accepted.
> -A INPUT -d 192.168.0.0/255.255.255.0 -m state --state
> NEW,RELATED,ESTABLISHED -j ACCEPT
Huh? This looks like it might belong in FORWARD. But "-d"? What did you
think this rule would do?
> -A INPUT -d 209.212.xxx.xxx -m state --state RELATED,ESTABLISHED -j
> ACCEPT
I will assume 209.212.xxx.xxx is this machine's external IP. Please be
explicit when you are munging information.
This rule means that your firewall machine gets replies to the
connections it initiates.
> -A INPUT -p tcp -j tcp_filtered_packets
> -A INPUT -p tcp -j rbl_packets
> -A INPUT -p tcp -j tcp_packets
> -A INPUT -p udp -j udp_packets
> -A INPUT -p icmp -j icmp_packets
> -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
Why? See above about ftp-data.
> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
You have DNAT'ed port 21 above. This rule won't be matched.
> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
This machine is running public SMTP, HTTP and HTTPS servers.
> -A INPUT -p tcp -j DROP
This overrides the default ACCEPT policy but only for TCP.
> -A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
These should ensure the NAT'ed FTP server is accessible from outside.
> -A FORWARD -s 192.168.0.220 -p tcp -j ACCEPT
And any TCP connections from that machine are allowed.
> -A OUTPUT -s 192.168.0.0/255.255.255.0 -m state --state
> NEW,RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -s 209.212.xxx.xxx -m state --state NEW,RELATED,ESTABLISHED
> -j ACCEPT
Explained yesterday why this is pointless.
> -A udp_packets -p udp -m udp --dport 53 -j ACCEPT
> -A udp_packets -s 196.36.10.xxx -p udp -j ACCEPT
> -A udp_packets -p udp -j ACCEPT
This is jumped to from INPUT, and all it does is ACCEPT, which is the
same as your default policy.
> COMMIT
The other chains you defined are not used!
> And here is the output of my tethereal:
snip
> What I do notice is this:
>
> FTP [TCP Out-Of-Order] Response: 150 Opening BINARY mode data
> connection for LANDING_16.jpg
> and
> FTP [TCP Previous segment lost] Response:
Yes, I would guess that is the problem, but I don't know what would
cause it. Again from yesterday, I doubt it's a netfilter issue.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
next prev parent reply other threads:[~2005-11-09 15:18 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-08 7:03 ftp conntrack - nat problem Dave Strydom
2005-11-08 19:36 ` /dev/rob0
2005-11-09 11:31 ` Dave Strydom
2005-11-09 14:06 ` Dave Strydom
2005-11-09 15:18 ` /dev/rob0 [this message]
2005-11-09 15:23 ` SNAT vs MASQUERADE ... " Pablo Sanchez
2005-11-09 15:51 ` /dev/rob0
2005-11-09 15:57 ` Pablo Sanchez
2005-11-11 3:05 ` SNAT vs MASQUERADE Pablo Sanchez
2005-11-11 8:08 ` Alexander Samad
2005-11-15 22:01 ` Pablo Sanchez
2005-11-09 15:29 ` ftp conntrack - nat problem Dave Strydom
2005-11-09 15:40 ` Dave Strydom
2005-11-09 15:51 ` /dev/rob0
2005-11-09 15:56 ` Dave Strydom
2005-11-10 10:16 ` Dave Strydom
[not found] <FAC4E024BF776842876169173CE2F01309A4A1@mailbox.vikus.com>
2005-11-09 14:38 ` Dave Strydom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200511090918.03493.rob0@gmx.co.uk \
--to=rob0@gmx.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox