Is iptables kickin' that much?

Is iptables kickin' that much?

[wickedsun]

I'm not sure I understood very well what you explained. But I have only one
thing to say, it works. Now the question is, will this work with any
protocol? (ftp, irc, etc). The thing is scary me a bit. I read in your email
that you have to load up a FTP module (which I have compiled in the kernel)
and it seems to me that it works with other protocol as well. (I was able to
enable Active in DC++ without having to forward manually each ports like I
used to do).

This was of a huge help for the iptables newbies (including me) and thanks.



Charles

-----------------------
Original Message:
 As alot of others replies the problem is when ftp enters passive mode,
the server initiates a dataconnection to your machine.

Fortunatly, is a "port" command is send first over the command channel,
in order to let the client and server know how and where this new 
connection will be established.

This can be caught by the netfilter code, and netfilter can allow this 
connection to be accepted from the server in a quite clever way, because 
netfilter is _statefull_. ipchans was not, and hence this was not possible.

The following gives an example of how netfilter can handle this:
Lets assume that you are sittin behind a iptables firewall doing nat,
and all you want is to allow users from the inside (eth0) to conenct to 
the internet through the external link (ppp0)

# First load the heper modules for the ftp protocol connection tracking.
# Delete these lines, if the modules are compiled statically into the
# kernel.
modprobe ip_conntrack_ftp
# And the nat part for the ftp protocol.
modprobe ip_nat_ftp

# Set default policies.
iptables -P INPUT drop
iptables -P FORWARD drop
iptables -P OUTPUT accept

# NAT all connections
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUEADE

# Allow the mashine to make any kind of connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Allow the same for machines located behind the firewall.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT


And we are all done. The trick is to use the 'state' match. The RELATED
state will match the first packet in the data-connection from the 
ftp-server in passive mode. Any packets hereafter will be in the 
ESTABLISHED state.

As you might have noticed, there is no protocol speicifer. So this also 
works for e.g. DNS lookups (udp) and ICMP packets related to an already 
esablished connection. Statefull firewalling is just sooo great.

There is no reason for you to patch the kernel in order to do this,
this has been possible for a long time.

Regards
Anders Fugmann

 
 
 
-----------------
Charles D'Aoust
wickedsun@phreaker.net
wicked@unraved.org

Re: Is iptables kickin' that much?

[Anders Fugmann]

wickedsun wrote:
> thing to say, it works. 
Great.

> Now the question is, will this work with any
> protocol? (ftp, irc, etc). 
as of today, only ftp and IRC is implemented in the vanilla tree. POM 
may have connection tracking for other protocols.

A protocol that requests something and then receives an answer is 
handled by basic connection tracking (Which is why you dont need 
connection tracking modules for e.g. http and pop, since no new 
connection are established). It is the RELATED packets that are hard to 
find.

>The thing is scary me a bit. I read in your email
> that you have to load up a FTP module (which I have compiled in the kernel)
> and it seems to me that it works with other protocol as well. (I was able to
> enable Active in DC++ without having to forward manually each ports like I
> used to do).
Active DC++???? Never heard of it.

> 
> This was of a huge help for the iptables newbies (including me) and thanks.
No problem.

Regards
Anders Fugmann

--
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org

Re: Is iptables kickin' that much?

[wickedsun]

[-- Attachment #1: Type: Text/Plain, Size: 1717 bytes --]

DC++ is a Direct Connect client. You can use either Passive or Active mode.
It's just like FTP. In passive you get the search responces from the server
where as Active, the users send you the responces directly thru port 1412. I
used to have to map the ports, but after flushing my forwards and adding
your rules to my IPtables, it worked.

Look on sourceforge for DC++.
 
-------Original Message-------
 
From: Anders Fugmann
Date: Friday, September 06, 2002 7:52:52 PM
To: wickedsun
Cc: netfilter
Subject: Re: Is iptables kickin' that much?
 
wickedsun wrote:
> thing to say, it works. 
Great.

> Now the question is, will this work with any
> protocol? (ftp, irc, etc). 
as of today, only ftp and IRC is implemented in the vanilla tree. POM 
may have connection tracking for other protocols.

A protocol that requests something and then receives an answer is 
handled by basic connection tracking (Which is why you dont need 
connection tracking modules for e.g. http and pop, since no new 
connection are established). It is the RELATED packets that are hard to 
find.

>The thing is scary me a bit. I read in your email
> that you have to load up a FTP module (which I have compiled in the
kernel)
> and it seems to me that it works with other protocol as well. (I was able
to
> enable Active in DC++ without having to forward manually each ports like I
> used to do).
Active DC++???? Never heard of it.

> 
> This was of a huge help for the iptables newbies (including me) and thanks

No problem.

Regards
Anders Fugmann

--
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org



. 

[-- Attachment #2: Type: Text/HTML, Size: 3394 bytes --]

<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="IncrediMail 1.0" name=GENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER></X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style="BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px 10px 10px; FONT-FAMILY: Arial" bgColor=#ffffff background="" scroll=yes ORGYPOS="0" X-FVER="3.0">
<TABLE id=INCREDIMAINTABLE cellSpacing=0 cellPadding=2 width="100%" border=0>
<TBODY>
<TR>
<TD id=INCREDITEXTREGION style="FONT-SIZE: 12pt; CURSOR: auto; FONT-FAMILY: Arial" width="100%">
<DIV>DC++ is a Direct Connect client. You can use&nbsp;either Passive or Active mode.&nbsp;It's just like FTP.&nbsp;In passive you get the search&nbsp;responces from the server where as Active, the users send you the responces directly thru port 1412. I used to have to map the ports,&nbsp;but after flushing my forwards and adding your rules to my IPtables, it worked.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Look on sourceforge for DC++.<BR>&nbsp;</DIV>
<DIV id=IncrediOriginalMessage><I>-------Original Message-------</I></DIV>
<DIV>&nbsp;</DIV>
<DIV id=receivestrings>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>From:</B></I> <A href="mailto:afu@fugmann.dhs.org">Anders Fugmann</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Date:</B></I> Friday, September 06, 2002 7:52:52 PM</DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>To:</B></I> <A href="mailto:wickedsun@phreaker.net">wickedsun</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Cc:</B></I> <A href="mailto:netfilter@lists.netfilter.org">netfilter</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Subject:</B></I> Re: Is iptables kickin' that much?</DIV></DIV>
<DIV>&nbsp;</DIV>wickedsun wrote:<BR>&gt; thing to say, it works. <BR>Great.<BR><BR>&gt; Now the question is, will this work with any<BR>&gt; protocol? (ftp, irc, etc). <BR>as of today, only ftp and IRC is implemented in the vanilla tree. POM <BR>may have connection tracking for other protocols.<BR><BR>A protocol that requests something and then receives an answer is <BR>handled by basic connection tracking (Which is why you dont need <BR>connection tracking modules for e.g. http and pop, since no new <BR>connection are established). It is the RELATED packets that are hard to <BR>find.<BR><BR>&gt;The thing is scary me a bit. I read in your email<BR>&gt; that you have to load up a FTP module (which I have compiled in the kernel)<BR>&gt; and it seems to me that it works with other protocol as well. (I was able to<BR>&gt; enable Active in DC++ without having to forward manually each ports like I<BR>&gt; used to do).<BR>Active DC++???? Never heard of it.<BR><BR>&gt; <BR>&gt; This was of a huge help for the iptables newbies (including me) and thanks.<BR>No problem.<BR><BR>Regards<BR>Anders Fugmann<BR><BR>--<BR>Author of FIAIF<BR>FIAIF Is An Intelligent Firewall<BR><A href="http://fiaif.fugmann.dhs.org">http://fiaif.fugmann.dhs.org</A><BR><BR><BR><BR>. </TD></TR>
<TR>
<TD id=INCREDIFOOTER width="100%">
<TABLE cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD width="100%"></TD>
<TD id=INCREDISOUND vAlign=bottom align=middle></TD>
<TD id=INCREDIANIM vAlign=bottom align=middle></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></BODY></HTML>

Re: Is iptables kickin' that much?

[Anders Fugmann]

wickedsun wrote:
> DC++ is a Direct Connect client. You can use either Passive or Active 
> mode. It's just like FTP. In passive you get the search responces from 
> the server where as Active, the users send you the responces directly 
> thru port 1412. I used to have to map the ports, but after flushing my 
> forwards and adding your rules to my IPtables, it worked.
>  

If Active mode spawns a new connection, then I do not understand why it 
works. Try to see if the port is always open by telnetting to it from a 
host on the internet.

Also you should try to use NMAP (from a remote machine) to see what how 
many ports are open on your machine.

Regards
Anders Fugmann

Re: Is iptables kickin' that much?

[Mike D]

----- Original Message -----
From: "Anders Fugmann" <afu@fugmann.dhs.org>
To: "wickedsun" <wickedsun@phreaker.net>
Cc: "netfilter" <netfilter@lists.netfilter.org>
Sent: Friday, September 06, 2002 7:44 PM
Subject: Re: Is iptables kickin' that much?


> wickedsun wrote:
> > thing to say, it works.
> Great.
>
> > Now the question is, will this work with any
> > protocol? (ftp, irc, etc).
> as of today, only ftp and IRC is implemented in the vanilla tree. POM
> may have connection tracking for other protocols.
>
> A protocol that requests something and then receives an answer is
> handled by basic connection tracking (Which is why you dont need
> connection tracking modules for e.g. http and pop, since no new
> connection are established). It is the RELATED packets that are hard to
> find.
>
> >The thing is scary me a bit. I read in your email
> > that you have to load up a FTP module (which I have compiled in the
kernel)
> > and it seems to me that it works with other protocol as well. (I was
able to
> > enable Active in DC++ without having to forward manually each ports like
I
> > used to do).
> Active DC++???? Never heard of it.
>
> >
> > This was of a huge help for the iptables newbies (including me) and
thanks.
> No problem.
>
> Regards
> Anders Fugmann
>
> --
> Author of FIAIF
> FIAIF Is An Intelligent Firewall
> http://fiaif.fugmann.dhs.org
>
>