Re: helpers register for a specific port, but work anyway

[Patrick McHardy <kaber@xxxxxxxxx>]

Jan Engelhardt wrote:
> On Feb 27 2008 15:36, Jozsef Kadlecsik wrote:
> > On Wed, 27 Feb 2008, Jan Engelhardt wrote:
> >
> > > in nf_conntrack_ftp.c for example we find
> > >
> > >              ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);
> > >
> > > assuming the user does not specify any ports on modprobe, the default 
> > > port list defaults to {21}, so ftp[0][x].tuple.src will contain port 21. 
> > > But even ftp connections to non-21 ports are inspected for PORT 
> > > commands. 
> > Why do you think so? Ports not specified as FTP command ports are not 
> > parsed.
>
> Yes, I find it strange. On the router (192.168.222.1), I do:
>
> # iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121
> 	-j DNAT --to 134.76.12.5:21
>
> and on the client (192.168.222.24),:
>
> # conntrack -E expect &
> # ftp 134.76.12.5 2121
> Connected to ftp5.gwdg.de.
> 220 "Welcome to FTP5.GWDG.DE."
> Name (ftp5.gwdg.de:jengelh): ftp
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238
> 229 Entering Extended Passive Mode (|||32238|)
> 150 Here comes the directory listing.
> drwx------    2 ftp      ftp         16384 Apr 20  2006 lost+found
> drwxr-xr-x   33 ftp      ftp          4096 Feb 27 00:58 pub
> 226 Directory send OK.
> ftp>
>
> The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp
> does not parse streams to port 2121 by default, how could it have
> set up the expectation?


When NATing packets the helper lookup is repeated based
on the final tuple.

> Case 2. On the router:
> # iptables -t nat -A PREROUTING -p tcp --dport 2121 -j REDIRECT --to-ports 21
> # rcvsftpd start
>
> On the client:
> # ftp 192.168.222.1 2121
> Connected to 192.168.222.1.
> 220 (vsFTPd 2.0.5)
> Name (192.168.222.1:jengelh): ftp
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 229 Entering Extended Passive Mode (|||7366|)
> 150 Here comes the directory listing.
> 226 Directory send OK.
>
> and this does not analyze ftp, just as I would have guessed from the C code.

It should. Are you sure you had the proper modules loaded?
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html