* Help with ftp helper please
@ 2010-04-24 16:48 Jeff Jensen
2010-04-25 6:49 ` Mart Frauenlob
0 siblings, 1 reply; 8+ messages in thread
From: Jeff Jensen @ 2010-04-24 16:48 UTC (permalink / raw)
To: netfilter
Hello netfilter people,
I have an email conversation from Jan 9, 2010 between
mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
"passive mode ftp high ports driving me nuts". I have studied this
intensely and found out about this "helper" thing.
On a test ubuntu 9.04 box I have these rules and nothing else plus I
have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.
# Local host
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# DNS
iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
--dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport
53 -j ACCEPT
# FTP Helper Chain
iptables -N FTPChn
iptables -A FTPChn -j LOG --log-prefix "FTP "
iptables -A FTPChn -j ACCEPT
# FTP
iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
iptables -A INPUT -i eth0 -m helper --helper ftp -j FTPChn
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
# Log All Else
iptables -A INPUT -j LOG --log-prefix "Filter Input "
iptables -A OUTPUT -j LOG --log-prefix "Filter Output "
iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
# And Reject
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A OUTPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)
FTP IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
Filter Input IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
Filter Output IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
Any idea what I'm missing?
Thank you
Jeff
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Help with ftp helper please
2010-04-24 16:48 Help with ftp helper please Jeff Jensen
@ 2010-04-25 6:49 ` Mart Frauenlob
2010-04-25 9:09 ` Jan Engelhardt
2010-04-25 11:50 ` Jeff Jensen
0 siblings, 2 replies; 8+ messages in thread
From: Mart Frauenlob @ 2010-04-25 6:49 UTC (permalink / raw)
Cc: Jeff Jensen, netfilter
On 24.04.2010 18:48, Jeff Jensen wrote:
> Hello netfilter people,
>
> I have an email conversation from Jan 9, 2010 between
> mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
> "passive mode ftp high ports driving me nuts". I have studied this
> intensely and found out about this "helper" thing.
>
> On a test ubuntu 9.04 box I have these rules and nothing else plus I
> have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.
>
> # Local host
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> # DNS
> iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
> --dport 53 -j ACCEPT
> iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport
> 53 -j ACCEPT
> # FTP Helper Chain
> iptables -N FTPChn
> iptables -A FTPChn -j LOG --log-prefix "FTP "
> iptables -A FTPChn -j ACCEPT
> # FTP
> iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
> iptables -A INPUT -i eth0 -m helper --helper ftp -j FTPChn
> iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
> # Log All Else
> iptables -A INPUT -j LOG --log-prefix "Filter Input "
> iptables -A OUTPUT -j LOG --log-prefix "Filter Output "
> iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
> # And Reject
> iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
> iptables -A OUTPUT -j REJECT --reject-with icmp-host-prohibited
> iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>
> when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)
>
> FTP IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
> Filter Input IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
> PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
> Filter Output IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>
> Any idea what I'm missing?
>
> Thank you
>
> Jeff
you don't allow sport 21 back incoming traffic.
btw: nf_nat_ftp is also loaded?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Help with ftp helper please
2010-04-25 6:49 ` Mart Frauenlob
@ 2010-04-25 9:09 ` Jan Engelhardt
2010-04-25 10:04 ` Mart Frauenlob
2010-04-25 12:00 ` Jeff Jensen
2010-04-25 11:50 ` Jeff Jensen
1 sibling, 2 replies; 8+ messages in thread
From: Jan Engelhardt @ 2010-04-25 9:09 UTC (permalink / raw)
To: Mart Frauenlob; +Cc: Jeff Jensen, netfilter
On Sunday 2010-04-25 08:49, Mart Frauenlob wrote:
>On 24.04.2010 18:48, Jeff Jensen wrote:
>> Hello netfilter people,
>>
>> I have an email conversation from Jan 9, 2010 between
>> mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
>> "passive mode ftp high ports driving me nuts". I have studied this
>> intensely and found out about this "helper" thing.
>>
>> On a test ubuntu 9.04 box I have these rules and nothing else plus I
>> have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.
>>
>> # Local host
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>> # DNS
>> iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
>> --dport 53 -j ACCEPT
>> iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport
>> 53 -j ACCEPT
>> # FTP Helper Chain
>> iptables -N FTPChn
>> iptables -A FTPChn -j LOG --log-prefix "FTP "
>> iptables -A FTPChn -j ACCEPT
>> # FTP
>> iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
>> iptables -A INPUT -i eth0 -m helper --helper ftp -j FTPChn
>> iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
>> # Log All Else
>> iptables -A INPUT -j LOG --log-prefix "Filter Input "
>> iptables -A OUTPUT -j LOG --log-prefix "Filter Output "
>> iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
>> # And Reject
>> iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> iptables -A OUTPUT -j REJECT --reject-with icmp-host-prohibited
>> iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>
>> when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)
>>
>> FTP IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
>> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>> Filter Input IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
>> PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
>> Filter Output IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
>> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>>
>> Any idea what I'm missing?
>>
>> Thank you
>>
>> Jeff
>
>you don't allow sport 21 back incoming traffic.
>btw: nf_nat_ftp is also loaded?
That's why one should always have -m conntrack --ctstate ESTABLISHED(,RELATED)
in INPUT, FORWARD, and OUTPUT. It really trims down all these rules.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Help with ftp helper please
2010-04-25 9:09 ` Jan Engelhardt
@ 2010-04-25 10:04 ` Mart Frauenlob
2010-05-18 13:27 ` Markus Feldmann
2010-04-25 12:00 ` Jeff Jensen
1 sibling, 1 reply; 8+ messages in thread
From: Mart Frauenlob @ 2010-04-25 10:04 UTC (permalink / raw)
To: netfilter; +Cc: Jeff Jensen
On 25.04.2010 11:09, Jan Engelhardt wrote:
> On Sunday 2010-04-25 08:49, Mart Frauenlob wrote:
>
>> On 24.04.2010 18:48, Jeff Jensen wrote:
>>> I have an email conversation from Jan 9, 2010 between
>>> mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
>>> "passive mode ftp high ports driving me nuts". I have studied this
>>> intensely and found out about this "helper" thing.
>> you don't allow sport 21 back incoming traffic.
>> btw: nf_nat_ftp is also loaded?
>
> That's why one should always have -m conntrack --ctstate ESTABLISHED(,RELATED)
> in INPUT, FORWARD, and OUTPUT. It really trims down all these rules.
>
Yes, if the OP would have looked up the original post correctly it would
show exactly that.
http://eeek.borgchat.net/lists/netfilter/msg47205.html
Putting the global RELATED rule, of course makes most of the rules
obsolete (which fits in most cases), but that example was to show how to
use the (ftp) helper match, if one chooses to split things up for
whatever reason.
Good day
Mart
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Help with ftp helper please
2010-04-25 10:04 ` Mart Frauenlob
@ 2010-05-18 13:27 ` Markus Feldmann
0 siblings, 0 replies; 8+ messages in thread
From: Markus Feldmann @ 2010-05-18 13:27 UTC (permalink / raw)
To: netfilter
Mart Frauenlob schrieb:
>
> Yes, if the OP would have looked up the original post correctly it would
> show exactly that.
> http://eeek.borgchat.net/lists/netfilter/msg47205.html
> Putting the global RELATED rule, of course makes most of the rules
> obsolete (which fits in most cases), but that example was to show how to
> use the (ftp) helper match, if one chooses to split things up for
> whatever reason.
Hi Mart,
I use the helper too. And the reason is that i do not want that pakets
are accepted, which are not related to ftp.
--sport 1024: --dport 1024: ACCEPT
means to accept mostly all pakets. But thats not what i and jeff want. I
think it is a security risk. I am not sure whether this works, but for
example if you connect to someone over any service and the remote host
try to connect to you back (RELATED,ESTABLISHED) but not only to the
original service, but also to your ftp service.
The next advantage is that my monitoring is not affected. I am using
<iptables -L -n -v> to watch which chain has traffic and sometimes i
found security holes over this monitor. If all traffic goes over my ftp
rule, than this does not work.
regards Markus
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Help with ftp helper please
2010-04-25 9:09 ` Jan Engelhardt
2010-04-25 10:04 ` Mart Frauenlob
@ 2010-04-25 12:00 ` Jeff Jensen
2010-04-25 12:31 ` Jan Engelhardt
1 sibling, 1 reply; 8+ messages in thread
From: Jeff Jensen @ 2010-04-25 12:00 UTC (permalink / raw)
To: netfilter; +Cc: Jan Engelhardt
Interesting, unless I'm blind the original conversation does not
mention this. I've seen -m state and now -m helper. Where did this -m
conntrack come from?
>
> That's why one should always have -m conntrack --ctstate ESTABLISHED(,RELATED)
> in INPUT, FORWARD, and OUTPUT. It really trims down all these rules.
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Help with ftp helper please
2010-04-25 6:49 ` Mart Frauenlob
2010-04-25 9:09 ` Jan Engelhardt
@ 2010-04-25 11:50 ` Jeff Jensen
1 sibling, 0 replies; 8+ messages in thread
From: Jeff Jensen @ 2010-04-25 11:50 UTC (permalink / raw)
To: netfilter; +Cc: mart.frauenlob
Ok got it, I wasn't sure how much help the helper would provide. I
have to fully handle the control channel, the helper handles the data
channel both active and passive. Thanks.
On Sun, Apr 25, 2010 at 12:49 AM, Mart Frauenlob
<mart.frauenlob@chello.at> wrote:
> On 24.04.2010 18:48, Jeff Jensen wrote:
>> Hello netfilter people,
>>
>> I have an email conversation from Jan 9, 2010 between
>> mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
>> "passive mode ftp high ports driving me nuts". I have studied this
>> intensely and found out about this "helper" thing.
>>
>> On a test ubuntu 9.04 box I have these rules and nothing else plus I
>> have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.
>>
>> # Local host
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>> # DNS
>> iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
>> --dport 53 -j ACCEPT
>> iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport
>> 53 -j ACCEPT
>> # FTP Helper Chain
>> iptables -N FTPChn
>> iptables -A FTPChn -j LOG --log-prefix "FTP "
>> iptables -A FTPChn -j ACCEPT
>> # FTP
>> iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
>> iptables -A INPUT -i eth0 -m helper --helper ftp -j FTPChn
>> iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
>> # Log All Else
>> iptables -A INPUT -j LOG --log-prefix "Filter Input "
>> iptables -A OUTPUT -j LOG --log-prefix "Filter Output "
>> iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
>> # And Reject
>> iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> iptables -A OUTPUT -j REJECT --reject-with icmp-host-prohibited
>> iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>
>> when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)
>>
>> FTP IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
>> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>> Filter Input IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
>> PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
>> Filter Output IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
>> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>>
>> Any idea what I'm missing?
>>
>> Thank you
>>
>> Jeff
>
> you don't allow sport 21 back incoming traffic.
> btw: nf_nat_ftp is also loaded?
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-05-18 13:27 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-24 16:48 Help with ftp helper please Jeff Jensen
2010-04-25 6:49 ` Mart Frauenlob
2010-04-25 9:09 ` Jan Engelhardt
2010-04-25 10:04 ` Mart Frauenlob
2010-05-18 13:27 ` Markus Feldmann
2010-04-25 12:00 ` Jeff Jensen
2010-04-25 12:31 ` Jan Engelhardt
2010-04-25 11:50 ` Jeff Jensen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).