Restrictive FTP egress using conntrack helper

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

in the script that sets up my iptables firewall I found a comment I must
have written some time between 2005 and 2012:

# allowing RELATED outgoing connections makes passive FTP work without
# the need to allow all high ports out

So the following kind of very restrictive egress policing should have
worked at some point in time (2.6.x or 3.x kernels):

# Generated by iptables-save v1.6.0 on Sat Feb 11 16:45:51 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [4:240]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
COMMIT
# Completed on Sat Feb 11 16:45:51 2017

Of course the conntrack helper is loaded as well:

# lsmod | grep _ftp
nf_conntrack_ftp       20480  0

My expectation is for the FTP conntack helper to recognise the 227
response in the control connection of a passive FTP session and consider
the ensuing data connection initiated by the FTP client as RELATED.
Looking at the helper's kernel code doesn't really burst that bubble
either. But I can't seem to get it to work with recent 4.x kernels
(tested with Debian kernels 4.8 and 4.9 as well as a static,
self-compiled 4.8/4.9 with Gentoo).

Am I completely off base here or just missing something trivial?

BTW: I just tried the same with nftables to no avail:

flush ruleset

table inet firewall {
        chain incoming {
                type filter hook input priority 0;
                ct state established,related accept
                log reject
        }

        chain outgoing {
                type filter hook output priority 0;
                ct state established,related accept
                tcp dport {domain, ftp} accept
                udp dport domain accept
                log reject
        }
}

I still get:

ftp> ls
227 Entering Passive Mode (134,76,12,6,119,247).
ftp: connect: Connection refused
ftp>

and

[ 4594.097676] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=35848 DF PROTO=TCP SPT=58314 DPT=30711
WINDOW=29200 RES=0x00 SYN URGP=0 
[ 4595.116297] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=35849 DF PROTO=TCP SPT=58314 DPT=30711
WINDOW=29200 RES=0x00 SYN URGP=0 
-- 
thanks, Micha
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux