iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Filippo Zeus]

Hi,
i think the ftp_contrack module has a bug.

I'm setting up proftpd 1.3.1 with TLS for encrypting auth+data only 
traffic to let ftp_conntrack module understand the port command when a 
client connects to the server using a PASV mode.

Look at link below and search for question
Using mod_tls, FTP sessions through my firewall now no longer work. 
What's going on?

ftp_conntrack module probably do no understand the port command so it do 
not open the port.
Tryed to define a limited passive ports in proftpd.conf and setted up 
iptables to ACCEPT any conection in this range fixed the problem. But 
pratically i've bypassed the ftp_conntrack module.

Here are system infos and main configuration parts.

Debian Lenny
uname -a
Linux debian 2.6.24-1-amd64 #1 SMP Thu Mar 27 16:52:38 UTC 2008 x86_64 
GNU/Linux
__________
iptables -V
iptables v1.4.0
________
proftpd -V
Compile-time Settings:
 Version: 1.3.1
 Platform: LINUX
 Built With:
   configure --prefix=/usr 
--with-includes=/usr/include/postgresql:/usr/include/mysql 
--mandir=/usr/share/man --sysconfdir=/etc/proftpd 
--localstatedir=/var/run --libexecdir=/usr/lib/proftpd --enable-sendfile 
--enable-facl --enable-dso --enable-autoshadow --enable-ctrls 
--with-modules=mod_readme --enable-ipv6 --build x86_64-linux-gnu 
--with-shared=mod_site_misc:mod_load:mod_ban:mod_quotatab:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab_sql:mod_ldap:mod_quotatab_ldap:mod_ratio:mod_tls:mod_rewrite:mod_radius:mod_wrap:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_quotatab_file:mod_quotatab_radius:mod_facl:mod_ctrls_admin:mod_ifsession 


 CFLAGS: -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DHAVE_OPENSSL 
-DUSE_LDAP_TLS  -Wall -Wno-long-double
 LDFLAGS: -L$(top_srcdir)/lib
 LIBS: -lsupp -lcrypt

 Files:
   Configuration File:
     /etc/proftpd/proftpd.conf
   Pid File:
     /var/run/proftpd.pid
   Scoreboard File:
     /var/run/proftpd/proftpd.scoreboard
   Shared Module Directory:
     /usr/lib/proftpd

 Features:
   + Autoshadow support
   + Controls support
   + curses support
   - Developer support
   + DSO support
   + IPv6 support
   + Largefile support
   - Lastlog support
   + ncurses support
   - NLS support
   + OpenSSL support
   + POSIX ACL support
   + Shadow file support
   + Sendfile support
   + Trace support

 Tunable Options:
   PR_TUNABLE_BUFFER_SIZE = 1024
   PR_TUNABLE_GLOBBING_MAX = 8
   PR_TUNABLE_HASH_TABLE_SIZE = 40
   PR_TUNABLE_NEW_POOL_SIZE = 512
   PR_TUNABLE_RCVBUFSZ = 8192
   PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
   PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
   PR_TUNABLE_SELECT_TIMEOUT = 30
   PR_TUNABLE_SNDBUFSZ = 8192
   PR_TUNABLE_TIMEOUTIDENT = 10
   PR_TUNABLE_TIMEOUTIDLE = 600
   PR_TUNABLE_TIMEOUTLINGER = 180
   PR_TUNABLE_TIMEOUTLOGIN = 300
   PR_TUNABLE_TIMEOUTNOXFER = 300
   PR_TUNABLE_TIMEOUTSTALLED = 3600
   PR_TUNABLE_XFER_BUFFER_SIZE = 1024
   PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10
___________
*** CONFIGURATIONS ****
cat /etc/proftpd/proftpd.conf
# Includes DSO modules
Include /etc/proftpd/modules.conf

UseIPv6                 off
ServerName              "ftp.foo.barl"
ServerType              standalone
ServerAdmin             support@foo.bar
UseReverseDNS           off
DeferWelcome            off
MultilineRFC2228        on
DefaultServer           off
DefaultAddress          127.0.0.1
TimeoutNoTransfer       600
TimeoutStalled          600
TimeoutIdle             1200
DisplayLogin            "README"
#DisplayFirstChdir      .message
ListOptions             "-l"
DenyFilter              \*.*/
Port                    21
MaxInstances            50
User                    proftpd
Group                   nogroup
Umask                   000
AllowOverwrite          on
UseSendFile             off
TransferLog             /var/log/proftpd/main.log
SystemLog               /var/log/proftpd/system.log
LogFormat       default         "%t USER: SEND %r "
LogFormat       extended        "%t USER: %u (from IP %a ) send CMD: %r 
REPLY: %s (Transfer %b bytes in %T sec.)"
SocketBindTight         off

<IfModule mod_tls.c>
       TLSEngine on
       TLSLog /var/log/proftpd/tls.log
       TLSProtocol SSLv23
       TLSOptions NoCertRequest
       TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
       TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
       TLSVerifyClient off
</IfModule>

<IfModule mod_quota.c>
       QuotaEngine on
</IfModule>

<IfModule mod_ratio.c>
       Ratios on
</IfModule>

<IfModule mod_delay.c>
       DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
       ControlsEngine on
       ControlsMaxClients 2
       ControlsLog /var/log/proftpd/controls.log
       ControlsInterval 5
       ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
       AdminControlsEngine on
</IfModule>


<Global>
       PassivePorts                    32768 32778
       MaxLoginAttempts                2
       ServerIdent                     on              " "
       ExtendedLog                     /var/log/proftpd/Activity.log   
AUTH            default
       ExtendedLog                     /var/log/proftpd/Activity.log   
WRITE,READ      extended
       DefaultRoot                     ~
       AllowRetrieveRestart            on
       MaxClients                      30      "SERVER_BUSY: Please 
retry. NOTE: The Accident will be reported to System Administrator"
       MaxClientsPerHost               5       "ERROR: You can't open 
more than five (5) session form the same host. Close an FTP session or 
retry later."
       AllowStoreRestart               on
       DeleteAbortedStores             off
       LoginPasswordPrompt             off
       AccessDenyMsg                   "ERROR: Incorrect Login! Please 
Retry. NOTE: The Accident will be reported to System Admnistrator"
       AccessGrantMsg                  "Welcome to lifesaver FTP 
service, DO NOT FORGET TO SWITCH to TLS/SSL FTP ! ... and please keep in 
mind all your actions here will be logged! "
       DefaultTransferMode             binary
       IdentLookups                    off
       HiddenStores                    off
       ShowSymlinks                    off
       DirFakeGroup                    on      ftp
       DirFakeUser                     on      ftp
       AllowOverwrite                  on
       WtmpLog                         on
       RootLogin                       off
       AuthAliasOnly                   off
       PathDenyFilter                  "\\.(ftpaccess|htaccess)$"
       ListOptions                     "-l"
       DisplayConnect                  "Welcome to xxxxxx. Please Login 
... "
       DisplayGoAway                   "Welcome to xxxxxx ... Sorry, too 
many user are logged in ... Please retry later"
       AuthOrder                       mod_auth_file.c
       RequireValidShell               no
       AuthUserFile                    /etc/proftpd/passwd

       <Limit SITE_CHMOD>
               DenyAll
       </Limit>

       <IfModule mod_delay.c>
               DelayEngine     on
       </IfModule>

</Global>

<VirtualHost xx.xxx.x.x>
       ServerName "ftp.lifesaver.it"
       ServerIdent                     on              "FTP Server 
ready. Please use FTP-TLS or login will be rejected. "
       TransferLog /var/log/proftpd/ftp-lifesaver-it.log
               <Limit LOGIN>
                       AllowUser ftp_temp
                       Deny All
               </Limit>
               <IfModule mod_tls.c>
                       TLSEngine on
                       TLSLog /var/log/proftpd/tls.log
                       TLSOptions NoCertRequest
                       TLSRSACertificateFile 
/etc/proftpd/ssl/proftpd.cert.pem
                       TLSRSACertificateKeyFile 
/etc/proftpd/ssl/proftpd.key.pem
                       TLSVerifyClient off
                       TLSRequired auth+data
               </IfModule>

       TransferRate RETR 213.0:1024
       TransferRate APPE 213.0:1024
       TransferRate STOR 2048.0:1024
       TransferRate STOU 2048.0:1024
</VirtualHost>
____________
cat /etc/init.d/firewall

# Loading ipfilter connection tracking modules
       echo -n "Loading conntrack modules ... "
       modprobe ip_conntrack
       modprobe ip_conntrack_ftp
       modprobe ip_conntrack_irc
       modprobe ip_nat_ftp

# Loading ipfilter rules
       echo -n "Loading ipfilter rules ... "

       # Setting Chains State
               iptables -P INPUT DROP
               iptables -P OUTPUT ACCEPT
               iptables -P FORWARD ACCEPT

       # Drop Ping-Flood
               iptables -A INPUT -p icmp --icmp-type echo-request -m 
limit --limit 1/s --limit-burst 5 -j ACCEPT
               iptables -A INPUT -p icmp --icmp-type echo-request -m 
limit --limit 1/s --limit-burst 5 -j LOG --log-prefix PING_FLOOD-DROP
               iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

       # Allow loopback traffic (lo)
               iptables -A INPUT -i lo -j ACCEPT
               iptables -A OUTPUT -o lo -j ACCEPT

       # Allow established connections
               iptables -A OUTPUT -o $NIC0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
               iptables -A OUTPUT -o $NIC1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
               iptables -A OUTPUT -o $NIC2 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
               iptables -A INPUT -i $NIC0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
               iptables -A INPUT -i $NIC1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
               iptables -A INPUT -i $NIC2 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
               iptables -A FORWARD -i $NIC0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

       # Allow new outgoing tcp, udp, icmp connections
               iptables -A OUTPUT -p tcp -o $NIC0 -m state --state NEW 
-j ACCEPT
               iptables -A OUTPUT -p tcp -o $NIC1 -m state --state NEW 
-j ACCEPT
               iptables -A OUTPUT -p tcp -o $NIC2 -m state --state NEW 
-j ACCEPT
               iptables -A OUTPUT -p udp -o $NIC0 -m state --state NEW 
-j ACCEPT
               iptables -A OUTPUT -p udp -o $NIC1 -m state --state NEW 
-j ACCEPT
               iptables -A OUTPUT -p udp -o $NIC2 -m state --state NEW 
-j ACCEPT
               iptables -A OUTPUT -p icmp -o $NIC0 -m state --state NEW 
-j ACCEPT
               iptables -A OUTPUT -p icmp -o $NIC1 -m state --state NEW 
-j ACCEPT
               iptables -A OUTPUT -p icmp -o $NIC2 -m state --state NEW 
-j ACCEPT

       # Drop fragments and invalid packets
               iptables -A INPUT -f -m limit --limit 1/s --limit-burst 1 
-j LOG --log-prefix INPUT_FRAG-DROP:
               iptables -A INPUT -f -j DROP
               iptables -A INPUT -m state --state INVALID -m limit 
--limit 1/s --limit-burst 1 -j LOG --log-prefix INPUT_INVALID-DROP:
               iptables -A INPUT -m state --state INVALID -j DROP
               iptables -A OUTPUT -f -m limit --limit 1/s --limit-burst 
1 -j LOG --log-prefix OUTPUT_FRAG-DROP:
               iptables -A OUTPUT -f -j DROP
               iptables -A OUTPUT -m state --state INVALID -j LOG 
--log-prefix OUTPUT_INVALID-DROP:
               iptables -A OUTPUT -m state --state INVALID -j DROP

       # Allow FTP from LAN
               iptables -A INPUT -p tcp --syn -i $NIC0 -s $LANPOOL -d 
$LAN --dport 21 -m state --state NEW -j ACCEPT
       # Allow FTP from WAN2
               iptables -A INPUT -p tcp --syn -i $NIC2 -d $WAN2 --dport 
21 -m state --state NEW -j ACCEPT
##
# FTPES Workaround
##
iptables -A INPUT -p tcp --syn -i $NIC2 -d $WAN2 --dport 32768:32778 -j 
ACCEPT

       # Allow SSH from LAN
...
----- CUTTED HERE -----

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[whiplash]

Filippo Zeus ha scritto:

> ftp_conntrack module probably do no understand the port command so it do 
> not open the port.

There's no bug, indeed.
Conntrack helper simply *can't* see the PORT command, since the packet payload
is encrypted.

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Filippo Zeus]

That's true ... proftpd has been configured to encrypt auth+data
so the PORT command is sent in cleartext way.

I you read
question Using mod_tls, FTP sessions through my firewall now no longer 
work. What's going on?
at http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

proftpd developers suggest to do this to fix this problem...
but it do not work.

please help

> There's no bug, indeed.
> Conntrack helper simply *can't* see the PORT command, since the packet 
> payload
> is encrypted.
>

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Jan Engelhardt]

On Monday 2008-05-26 20:51, Filippo Zeus wrote:

> Hi,
> i think the ftp_contrack module has a bug.
>
> I'm setting up proftpd 1.3.1 with TLS for encrypting auth+data only traffic to
> let ftp_conntrack module understand the port command when a client connects to
> the server using a PASV mode.
>
> Look at link below and search for question
> Using mod_tls, FTP sessions through my firewall now no longer work. What's
> going on?
>
> ftp_conntrack module probably do no understand the port command so it do not
> open the port.

No, it does not understand because you are encrypting the channel with TLS.
Simple as that.

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[whiplash]

Filippo Zeus ha scritto:
> That's true ... proftpd has been configured to encrypt auth+data
> so the PORT command is sent in cleartext way.
> 
> I you read
> question Using mod_tls, FTP sessions through my firewall now no longer 
> work. What's going on?
> at http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
> 
> proftpd developers suggest to do this to fix this problem...
> but it do not work.

Did you verify, by using for example tcpdump, that th client is actually using
CCC, sending commands in clear text?

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Filippo Zeus]

thanks for your help at first !

yes. and i've tested tons of clients (ftp-ssl, filezilla, hated M$-IE).
unfortunatly tcpdump has confirmed my prefeeling.
Also, reading at proftpd log i can see that encrypted channel is 
switched off after PASS command
and stay on only for the data channel.

I'm not shure, cause i'm not a developer, but i think that ftp_conntrak 
module open a port *ONLY* if
it read first the USER command, then the PASS command, then PASV/PORT 
commands
not simply if a (cleartext) PORT command came from the ftp client.


> Did you verify, by using for example tcpdump, that th client is 
> actually using
> CCC, sending commands in clear text?
>

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Patrick McHardy]

Filippo Zeus wrote:
> thanks for your help at first !
>
> yes. and i've tested tons of clients (ftp-ssl, filezilla, hated M$-IE).
> unfortunatly tcpdump has confirmed my prefeeling.
> Also, reading at proftpd log i can see that encrypted channel is 
> switched off after PASS command
> and stay on only for the data channel.
>
> I'm not shure, cause i'm not a developer, but i think that 
> ftp_conntrak module open a port *ONLY* if
> it read first the USER command, then the PASS command, then PASV/PORT 
> commands
> not simply if a (cleartext) PORT command came from the ftp client. 

Please send a tcpdump.

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Jan Engelhardt]

On Monday 2008-05-26 22:00, Filippo Zeus wrote:

> I'm not shure, cause i'm not a developer, but i think that ftp_conntrak module
> open a port *ONLY* if
> it read first the USER command, then the PASS command, then PASV/PORT commands
> not simply if a (cleartext) PORT command came from the ftp client.

It sets up an expectation once it sees PORT/EPRT/PASV/EPSV,
regardless of USER/PASS.

It does *NOT* recognize the TLS commands SSCN/CPSV,
which is probably the problem, if you claim that the control
connection is clear-text.

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Jan Engelhardt]

On Tuesday 2008-05-27 00:05, Jan Engelhardt wrote:
>On Monday 2008-05-26 22:00, Filippo Zeus wrote:
>
>> I'm not shure, cause i'm not a developer, but i think that ftp_conntrak module
>> open a port *ONLY* if
>> it read first the USER command, then the PASS command, then PASV/PORT commands
>> not simply if a (cleartext) PORT command came from the ftp client.
>
>It sets up an expectation once it sees PORT/EPRT/PASV/EPSV,
>regardless of USER/PASS.
>
>It does *NOT* recognize the TLS commands SSCN/CPSV,
>which is probably the problem, if you claim that the control
>connection is clear-text.

Ah never mind, SSL using SSCN/CPSV seems obsolete since long.

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[whiplash]

Jan Engelhardt ha scritto:

> It does *NOT* recognize the TLS commands SSCN/CPSV,

Aren't these extensions used only in FXP?

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Filippo Zeus]

Considering ftp-control port is text based i've dumped with -A switch. I 
hope it's ok

********** TCPDUMP LOG STARTS HERE **********
[zeus@augustus ~] % sudo tcpdump -A -i ppp0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type PPP (PPP), capture size 96 bytes
03:05:57.045277 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: S 
834183062:834183062(0) win 8192 <mss 1460,nop,wscale 3,nop,nop,timestamp 
538543633 0,sackOK,eol>
2....1......... ................
 ...........
03:05:58.008113 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: S 
834183062:834183062(0) win 8192 <mss 1460,nop,wscale 3,nop,nop,timestamp 
538543642 0,sackOK,eol>
2....1......... ................
 ...........
03:05:58.289943 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: S 
3283700948:3283700948(0) ack 834183063 win 5840 <mss 
1420,nop,nop,sackOK,nop,wscale 7>
2.P.?......L.1.......................
03:05:58.290033 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1 win 1024
2....1.....L.P....Y..+
03:05:59.103851 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: S 
3283700948:3283700948(0) ack 834183063 win 5840 <mss 
1420,nop,nop,sackOK,nop,wscale 7>
2.P.?......L.1.......................
03:05:59.103934 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1 win 1024
2....1.....L.P....Y..+
03:05:59.149005 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1:71(70) 
ack 1 win 46
2.P.?......L.1...P....`..220 FTP Server ready. Please use FTP-TLS or 
login wi
03:05:59.149078 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 71 win 1024
2....1.....M.P.......+
03:05:59.149759 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1:11(10) 
ack 71 win 1024
2....1.....M.P.......AUTH TLS

03:05:59.700919 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 11 win 46
2.P.?......M.1...P.......
03:05:59.700939 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 71:96(25) 
ack 11 win 46
2.P.?......M.1...P...O...234 AUTH TLS successful

03:05:59.701036 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 96 win 1024
2....1.....M4P.......+
03:05:59.706276 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 11:95(84) 
ack 96 win 1024
2....1.....M4P...L.......O...K..H;^w.i} ..\*.+....'b..]...5`.O....$.3.E.9
03:06:00.416441 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
1516:1666(150) ack 95 win 46
2.P.?......R.1...P....[...)E..5O......tsp.+).)..W[H..u.)IP..&....XZr...~.<...
03:06:00.416535 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 96 win 
1024 <nop,nop,sack 1 {1516:1666}>
2....1.....M4...........
..R...SV
03:06:00.435501 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . 
96:1516(1420) ack 95 win 46
2.P.?......M41...P...........J...F..H;^x2...qYQP..H:=...H%I=3..X....
.......
03:06:00.435594 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1666 
win 1024
2....1.....SVP....z..+
03:06:00.506622 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 95:234(139) 
ack 1666 win 1024
2....1.....SVP..................8......(......k.8.v.....~W.y...!Ot.......
03:06:01.200890 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 234 win 54
2.P.?......SV1...P..6....
03:06:01.200956 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 
234:437(203) ack 1666 win 1024
X?..A...M'........$..M.S.........../..X........
03:06:01.882933 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 437 win 63
2.P.?......SV1..KP..?....
03:06:01.882941 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
1666:1725(59) ack 437 win 63
2.P.?......SV1..KP..?..............0....9.../!L.]..z^..5&VEL....D..^-...S...-
03:06:01.883016 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1725 
win 1024
2....1..K..S.P.......+
03:06:01.903140 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 
437:650(213) ack 1725 win 1024
...&q..p0.......$]..........M.}..{..^`v..o....H.1..
03:06:02.666951 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
1725:1794(69) ack 650 win 71
2.P.?......S.1.. 
P..Gz.......@)C.#.B1....9....6.=u..6......&..4<...,F..#.y..*
03:06:02.667022 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1794 
win 1024
2....1.. ..S.P.......+
03:06:02.681297 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 650:719(69) 
ack 1794 win 1024
2....1.. ..S.P....`......@...T././......s.. D..k#......X..V.F......Phv,..
03:06:03.288189 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
1794:1975(181) ack 719 win 71
2.P.?......S.1..eP..G..........,.........;......c7m.~r.._#..OFw.P.`d@F..%...f
03:06:03.288267 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1975 
win 1024
2....1..e..T.P.......+
03:06:03.292196 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 
719:900(181) ack 1975 win 1024
2....1..e..T.P...W>.........>..
..D0.....@.M.'...c".... B........l.T.....
03:06:04.047064 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
1975:2028(53) ack 900 win 80
2.P.?......T.1...P..P........0.7D...y..9iC..p%f...kM;.rg|n).l)I.&..-.!4.OH...
03:06:04.047141 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2028 
win 1024
2....1.....T.P.......+
03:06:04.051879 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 900:953(53) 
ack 2028 win 1024
&....1.....T.P...........0.a.......rR..Y....}..:....7O.E.k.<    .'.m/..
03:06:04.781092 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
2028:2097(69) ack 953 win 80
2.P.?......T.1..OP..Py.......@.u_U=.g........
.......^..c.|..9..
03:06:04.781176 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2097 
win 1024
2....1..O..U.P....q..+
03:06:04.793662 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 
953:1054(101) ack 2097 win 1024
...!E...:
2....1..O..U.P...........`...8_B.|2.`..$.>....W&.#.8.D..J.o.8..Z,.......+
03:06:05.417095 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
2097:2166(69) ack 1054 win 80
2.P.?......U.1...P..P\ 
......@..8.....]..K....=\...v3..;Z0K....A=u.....3MRg.M
03:06:05.417171 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2166 
win 1024
2....1.....UJP.......
03:06:05.422336 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 
1054:1267(213) ack 2166 win 1024
2....1.....UJP....k............if6.J=.wyJ.....nIp....4cS.]....^2.x..*.D.I
03:06:06.211021 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
2166:2219(53) ack 1267 win 88
2.P.?......UJ1...P..X........0mr...1......w....5..aD.k....H..A.I..5~...eHk#|:
03:06:06.211102 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2219 
win 1024
2....1.....U.P.......+
03:06:06.215691 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 
1267:1480(213) ack 2219 win 1024
2....1.....U.P..............Y[,.s....d.)...h....]..W[W%...C4U.#... .}.c.A
03:06:06.985733 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
2219:2304(85) ack 1480 win 96
2.P.?......U.1..^P..`.`......PH...5/.u.....!....8.z..V/{.qx..;..._.v...b.\.N"
03:06:06.985773 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2304 
win 1024
2....1..^..U.P.......+
03:06:06.990020 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 
2291999512:2291999512(0) win 8192 <mss 1460,nop,wscale 
3,nop,nop,timestamp 538543732 0,sackOK,eol>
2......#....... .R!.............
 ..t........
03:06:06.990156 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 
1480:1533(53) ack 2304 win 1024
2....1..^..U.P.....?M+  
......0..|c.%....RM.f.ja.*....s.....}..^]....l*m=eE+.Q
03:06:07.703988 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 1533 win 96
2.P.?......U.1...P..`....
03:06:07.921114 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 
2291999512:2291999512(0) win 8192 <mss 1460,nop,wscale 
3,nop,nop,timestamp 538543741 0,sackOK,eol>
2......#....... .R..............
 ..}........
03:06:08.922451 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 
2291999512:2291999512(0) win 8192 <mss 1460,nop,wscale 
3,nop,nop,timestamp 538543751 0,sackOK,eol>
2......#....... .R..............
 ...........
03:06:09.923976 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 
2291999512:2291999512(0) win 8192 <mss 1460,sackOK,eol>
...!E..0<^@.@.
2......#.....p. .E...........
03:06:10.925518 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 
2291999512:2291999512(0) win 8192 <mss 1460,sackOK,eol>
2......#.....p. .E...........
03:06:11.926834 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 
2291999512:2291999512(0) win 8192 <mss 1460,sackOK,eol>
2......#.....p. .E...........
^C
52 packets captured
53 packets received by filter
0 packets dropped by kernel
[zeus@augustus ~] %
********** TCPDUMP LOG ENDS HERE **********


> Please send a tcpdump.
>

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Filippo Zeus]

i do not know, but I'm using filezilla client.
here are logs.
I Hope this helps



Stato:    Risoluzione dell'indirizzo IP in corso per ftp.lifesaver.it
Trace:    ControlSocket.cpp(979): 
CRealControlSocket::ContinueConnect(0x1650c678) m_pEngine=0x154cbd30   
caller=0x8f7c28
Stato:    Connessione a ***HIDDEN_IP***:21 in corso...
Stato:    Connessione stabilita, in attesa del messaggio di benvenuto...
Trace:    CFtpControlSocket::OnReceive()
Risposta:    220 FTP Server ready. Please use FTP-TLS or login will be 
rejected.
Trace:    CFtpControlSocket::SendNextCommand()
Comando:    AUTH TLS
Trace:    CFtpControlSocket::OnReceive()
Risposta:    234 AUTH TLS successful
Stato:    Inizializzazione TLS in corso...
Trace:    CTlsSocket::Handshake()
Trace:    CFtpControlSocket::SendNextCommand()
Comando:    USER ftp_temp
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    CTlsSocket::Handshake()
Trace:    Handshake successful
Trace:    Cipher: AES-128-CBC, MAC: SHA1
Stato:    Verifica del certificato in corso (checking cert.)...
Stato:    Connessione TLS/SSL established.
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Risposta:    331 Password required for ftp_temp
Trace:    CFtpControlSocket::SendNextCommand()
Comando:    PASS **********
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Risposta:    230 Welcome !
Trace:    CFtpControlSocket::SendNextCommand()
Comando:    PBSZ 0
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Risposta:    200 PBSZ 0 successful
Trace:    CFtpControlSocket::SendNextCommand()
Comando:    PROT P
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Risposta:    200 Protection set to Private
Stato:    Connesso (connected)
Trace:    CFtpControlSocket::ResetOperation(0)
Trace:    CControlSocket::ResetOperation(0)
Stato:    Lettura elenco cartelle... (Reading folders list)
Trace:    CFtpControlSocket::SendNextCommand()
Trace:    CFtpControlSocket::ChangeDirSend()
Comando:    PWD
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Risposta:    257 "/" is the current directory
Trace:    CFtpControlSocket::ResetOperation(0)
Trace:    CControlSocket::ResetOperation(0)
Trace:    CFtpControlSocket::ParseSubcommandResult(0)
Trace:    CFtpControlSocket::ListSubcommandResult()
Trace:    CFtpControlSocket::SendNextCommand()
Trace:    CFtpControlSocket::TransferSend()
Comando:    TYPE I
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Risposta:    200 Type set to I
Trace:    CFtpControlSocket::TransferParseResponse()
Trace:    CFtpControlSocket::SendNextCommand()
Trace:    CFtpControlSocket::TransferSend()
Comando:    PASV
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Trace:    CFtpControlSocket::OnReceive()
Risposta:    227 Entering Passive Mode (77,43,13,50,167,18).
Trace:    CFtpControlSocket::TransferParseResponse()
Trace:    CFtpControlSocket::SendNextCommand()
Trace:    CFtpControlSocket::TransferSend()
Comando:    LIST
Trace:    CFtpControlSocket::OnReceive()
Errore:    Tempo scaduto per la connessione
Trace:    CFtpControlSocket::ResetOperation(2114)
Trace:    CControlSocket::ResetOperation(2114)
Trace:    CFtpControlSocket::ResetOperation(2114)
Trace:    CControlSocket::ResetOperation(2114)
Errore:    Non è stato possibile leggere il contenuto della cartella 
(can't read folder content)
whiplash ha scritto:
>
> Aren't these extensions used only in FXP?
> -- 

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Patrick McHardy]

Filippo Zeus wrote:
> Considering ftp-control port is text based i've dumped with -A switch. I 
> hope it's ok
> 
> 03:05:59.149005 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1:71(70) 
> ack 1 win 46
> 2.P.?......L.1...P....`..220 FTP Server ready. Please use FTP-TLS or 
> login wi
> 03:05:59.149078 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 71 win 
> 1024
> 2....1.....M.P.......+
> 03:05:59.149759 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1:11(10) 
> ack 71 win 1024
> 2....1.....M.P.......AUTH TLS
> 
> 03:05:59.700919 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 11 win 46
> 2.P.?......M.1...P.......
> 03:05:59.700939 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 71:96(25) 
> ack 11 win 46
> 2.P.?......M.1...P...O...234 AUTH TLS successful
> 
> 03:05:59.701036 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 96 win 
> 1024
> 2....1.....M4P.......+
> 03:05:59.706276 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 11:95(84) 
> ack 96 win 1024
> 2....1.....M4P...L.......O...K..H;^w.i} ..\*.+....'b..]...5`.O....$.3.E.9
> 03:06:00.416441 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 
> 1516:1666(150) ack 95 win 46
> 2.P.?......R.1...P....[...)E..5O......tsp.+).)..W[H..u.)IP..&....XZr...~.<... 


Its a bit hard to read, but this looks like your client also
encrypts the control connection, which explains why FTP
conntrack doesn't work.

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[Jan Engelhardt]

On Tuesday 2008-05-27 09:39, Patrick McHardy wrote:
> Filippo Zeus wrote:
>> Considering ftp-control port is text based i've dumped with -A switch. I hope
>> it's ok
>> 
>> 03:05:59.149005 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1:71(70) ack 1
>> win 46
>> 2.P.?......L.1...P....`..220 FTP Server ready. Please use FTP-TLS or login wi
>> 03:05:59.149078 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 71 win 1024
>> 2....1.....M.P.......+
>> 03:05:59.149759 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1:11(10) ack 71
>> win 1024
>> 2....1.....M.P.......AUTH TLS
>> 
>> 03:05:59.700919 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 11 win 46
>> 2.P.?......M.1...P.......
>> 03:05:59.700939 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 71:96(25) ack 11
>> win 46
>> 2.P.?......M.1...P...O...234 AUTH TLS successful
>> 
>> 03:05:59.701036 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 96 win 1024
>> 2....1.....M4P.......+
>> 03:05:59.706276 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 11:95(84) ack 96
>> win 1024
>> 2....1.....M4P...L.......O...K..H;^w.i} ..\*.+....'b..]...5`.O....$.3.E.9
>> 03:06:00.416441 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1516:1666(150)
>> ack 95 win 46
>> 2.P.?......R.1...P....[...)E..5O......tsp.+).)..W[H..u.)IP..&....XZr...~.<... 
>
>
> Its a bit hard to read, but this looks like your client also
> encrypts the control connection, which explains why FTP
> conntrack doesn't work.

`tcpdump -Xs0` is preferred; unless the encryption is temporarily
dropped using the CCC command to make the PASV/PORT commands in
plaintext, the stream is not analyzable.

Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

[whiplash]

Filippo Zeus ha scritto:
> Considering ftp-control port is text based i've dumped with -A switch. I 
> hope it's ok
[cut]
> 52 packets captured
> 53 packets received by filter
> 0 packets dropped by kernel

It seems to me that the whole traffic is encrypted: there's no PASV
and no LIST in the hard-to-read tcpdump you sent (hiding ip is
useless, since you already sent the protfpd.conf with the
true ServerName...)