Help with ftp helper please

Help with ftp helper please

[Jeff Jensen]

Hello netfilter people,

   I have an email conversation from Jan 9, 2010 between
mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
"passive mode ftp high ports driving me nuts". I have studied this
intensely and found out about this "helper" thing.

On a test ubuntu 9.04 box I have these rules and nothing else plus I
have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.

# Local host
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# DNS
iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
--dport 53 -j ACCEPT
iptables -A INPUT  -i eth0 -p udp -m state --state ESTABLISHED --sport
53 -j ACCEPT
# FTP Helper Chain
iptables -N FTPChn
iptables -A FTPChn -j LOG --log-prefix "FTP "
iptables -A FTPChn -j ACCEPT
# FTP
iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
iptables -A INPUT  -i eth0 -m helper --helper ftp -j FTPChn
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
# Log All Else
iptables -A INPUT   -j LOG --log-prefix "Filter Input   "
iptables -A OUTPUT  -j LOG --log-prefix "Filter Output  "
iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
# And Reject
iptables -A INPUT   -j REJECT --reject-with icmp-host-prohibited
iptables -A OUTPUT  -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)

FTP            IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
Filter Input   IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
Filter Output  IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0

Any idea what I'm missing?

Thank you

Jeff

Re: Help with ftp helper please

[Mart Frauenlob]

On 24.04.2010 18:48, Jeff Jensen wrote:
> Hello netfilter people,
> 
>    I have an email conversation from Jan 9, 2010 between
> mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
> "passive mode ftp high ports driving me nuts". I have studied this
> intensely and found out about this "helper" thing.
> 
> On a test ubuntu 9.04 box I have these rules and nothing else plus I
> have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.
> 
> # Local host
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> # DNS
> iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
> --dport 53 -j ACCEPT
> iptables -A INPUT  -i eth0 -p udp -m state --state ESTABLISHED --sport
> 53 -j ACCEPT
> # FTP Helper Chain
> iptables -N FTPChn
> iptables -A FTPChn -j LOG --log-prefix "FTP "
> iptables -A FTPChn -j ACCEPT
> # FTP
> iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
> iptables -A INPUT  -i eth0 -m helper --helper ftp -j FTPChn
> iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
> # Log All Else
> iptables -A INPUT   -j LOG --log-prefix "Filter Input   "
> iptables -A OUTPUT  -j LOG --log-prefix "Filter Output  "
> iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
> # And Reject
> iptables -A INPUT   -j REJECT --reject-with icmp-host-prohibited
> iptables -A OUTPUT  -j REJECT --reject-with icmp-host-prohibited
> iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> 
> when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)
> 
> FTP            IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
> Filter Input   IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
> PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
> Filter Output  IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
> 
> Any idea what I'm missing?
> 
> Thank you
> 
> Jeff
	
you don't allow sport 21 back incoming traffic.
btw: nf_nat_ftp is also loaded?

Re: Help with ftp helper please

[Jan Engelhardt]

On Sunday 2010-04-25 08:49, Mart Frauenlob wrote:

>On 24.04.2010 18:48, Jeff Jensen wrote:
>> Hello netfilter people,
>> 
>>    I have an email conversation from Jan 9, 2010 between
>> mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
>> "passive mode ftp high ports driving me nuts". I have studied this
>> intensely and found out about this "helper" thing.
>> 
>> On a test ubuntu 9.04 box I have these rules and nothing else plus I
>> have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.
>> 
>> # Local host
>> iptables -A INPUT  -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>> # DNS
>> iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
>> --dport 53 -j ACCEPT
>> iptables -A INPUT  -i eth0 -p udp -m state --state ESTABLISHED --sport
>> 53 -j ACCEPT
>> # FTP Helper Chain
>> iptables -N FTPChn
>> iptables -A FTPChn -j LOG --log-prefix "FTP "
>> iptables -A FTPChn -j ACCEPT
>> # FTP
>> iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
>> iptables -A INPUT  -i eth0 -m helper --helper ftp -j FTPChn
>> iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
>> # Log All Else
>> iptables -A INPUT   -j LOG --log-prefix "Filter Input   "
>> iptables -A OUTPUT  -j LOG --log-prefix "Filter Output  "
>> iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
>> # And Reject
>> iptables -A INPUT   -j REJECT --reject-with icmp-host-prohibited
>> iptables -A OUTPUT  -j REJECT --reject-with icmp-host-prohibited
>> iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> 
>> when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)
>> 
>> FTP            IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
>> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>> Filter Input   IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
>> PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
>> Filter Output  IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
>> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>> 
>> Any idea what I'm missing?
>> 
>> Thank you
>> 
>> Jeff
>	
>you don't allow sport 21 back incoming traffic.
>btw: nf_nat_ftp is also loaded?

That's why one should always have -m conntrack --ctstate ESTABLISHED(,RELATED)
in INPUT, FORWARD, and OUTPUT. It really trims down all these rules.

Re: Help with ftp helper please

[Mart Frauenlob]

On 25.04.2010 11:09, Jan Engelhardt wrote:
> On Sunday 2010-04-25 08:49, Mart Frauenlob wrote:
> 
>> On 24.04.2010 18:48, Jeff Jensen wrote:

>>>    I have an email conversation from Jan 9, 2010 between
>>> mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
>>> "passive mode ftp high ports driving me nuts". I have studied this
>>> intensely and found out about this "helper" thing.

>> you don't allow sport 21 back incoming traffic.
>> btw: nf_nat_ftp is also loaded?
> 
> That's why one should always have -m conntrack --ctstate ESTABLISHED(,RELATED)
> in INPUT, FORWARD, and OUTPUT. It really trims down all these rules.
> 

Yes, if the OP would have looked up the original post correctly it would
show exactly that.
http://eeek.borgchat.net/lists/netfilter/msg47205.html
Putting the global RELATED rule, of course makes most of the rules
obsolete (which fits in most cases), but that example was to show how to
use the (ftp) helper match, if one chooses to split things up for
whatever reason.

Good day

Mart

Re: Help with ftp helper please

[Jeff Jensen]

Ok got it, I wasn't sure how much help the helper would provide. I
have to fully handle the control channel, the helper handles the data
channel both active and passive. Thanks.



On Sun, Apr 25, 2010 at 12:49 AM, Mart Frauenlob
<mart.frauenlob@chello.at> wrote:
> On 24.04.2010 18:48, Jeff Jensen wrote:
>> Hello netfilter people,
>>
>>    I have an email conversation from Jan 9, 2010 between
>> mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
>> "passive mode ftp high ports driving me nuts". I have studied this
>> intensely and found out about this "helper" thing.
>>
>> On a test ubuntu 9.04 box I have these rules and nothing else plus I
>> have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.
>>
>> # Local host
>> iptables -A INPUT  -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>> # DNS
>> iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
>> --dport 53 -j ACCEPT
>> iptables -A INPUT  -i eth0 -p udp -m state --state ESTABLISHED --sport
>> 53 -j ACCEPT
>> # FTP Helper Chain
>> iptables -N FTPChn
>> iptables -A FTPChn -j LOG --log-prefix "FTP "
>> iptables -A FTPChn -j ACCEPT
>> # FTP
>> iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
>> iptables -A INPUT  -i eth0 -m helper --helper ftp -j FTPChn
>> iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
>> # Log All Else
>> iptables -A INPUT   -j LOG --log-prefix "Filter Input   "
>> iptables -A OUTPUT  -j LOG --log-prefix "Filter Output  "
>> iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
>> # And Reject
>> iptables -A INPUT   -j REJECT --reject-with icmp-host-prohibited
>> iptables -A OUTPUT  -j REJECT --reject-with icmp-host-prohibited
>> iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>
>> when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)
>>
>> FTP            IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
>> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>> Filter Input   IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
>> PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
>> Filter Output  IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
>> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>>
>> Any idea what I'm missing?
>>
>> Thank you
>>
>> Jeff
>
> you don't allow sport 21 back incoming traffic.
> btw: nf_nat_ftp is also loaded?
>

Re: Help with ftp helper please

[Jeff Jensen]

Interesting, unless I'm blind the original conversation does not
mention this. I've seen -m state and now -m helper. Where did this -m
conntrack come from?

>
> That's why one should always have -m conntrack --ctstate ESTABLISHED(,RELATED)
> in INPUT, FORWARD, and OUTPUT. It really trims down all these rules.
>

Re: Help with ftp helper please

[Jan Engelhardt]

On Sunday 2010-04-25 14:00, Jeff Jensen wrote:

>Interesting, unless I'm blind the original conversation does not
>mention this. I've seen -m state and now -m helper. Where did this -m
>conntrack come from?

From Harald Welte who codified this improved extension over state years 
ago already.

Re: Help with ftp helper please

[Markus Feldmann]

Mart Frauenlob schrieb:
> 
> Yes, if the OP would have looked up the original post correctly it would
> show exactly that.
> http://eeek.borgchat.net/lists/netfilter/msg47205.html
> Putting the global RELATED rule, of course makes most of the rules
> obsolete (which fits in most cases), but that example was to show how to
> use the (ftp) helper match, if one chooses to split things up for
> whatever reason.

Hi Mart,

I use the helper too. And the reason is that i do not want that pakets 
are accepted, which are not related to ftp.

--sport 1024: --dport 1024: ACCEPT

means to accept mostly all pakets. But thats not what i and jeff want. I 
think it is a security risk. I am not sure whether this works, but for 
example if you connect to someone over any service and the remote host 
try to connect to you back (RELATED,ESTABLISHED) but not only to the 
original service, but also to your ftp service.

The next advantage is that my monitoring is not affected. I am using 
<iptables -L -n -v> to watch which chain has traffic and sometimes i 
found security holes over this monitor. If all traffic goes over my ftp 
rule, than this does not work.

regards Markus