On 03/27/17 06:57, Sam Basan wrote:
> I couldn't find this issue on the web.
> I want to allow new connection on specific port (let's say FTP) only when
> there is active session in HTTP.
> It's like port knocking only I don't want to "knock" HTTP port but make sure
> it's active session and only then open the FTP port to this specific IP
> address.
DISCLAIMER: this response is extemporaneous. I haven't tested it, just
thought it out a little. YMMV.
You can do this pretty easily in nftables with a self-updating set.
table ip example {
set allowable {
type ipv4_addr
flags timeout
}
chain trigger {
tcp dport http set add ip saddr timeout 2m @allowable
}
chain gatekeeper {
tcp dport ftp ip saddr @allowable accept
}
}
This solution is self cleaning since the set membership has a fixed
duration.
In ipbables you could use the "--match recent" with a --set rule in one
place (the http path) and an --update --seconds nnn --reap in the other
(the ftp path). In this case the set will tend to grow without bounds
since it is only cleaned by FTP failures.
In all cases you have to use a timeout window instead of an "active
connection" as the HTTP socket will almost surely be closed by the time
the FTP action is invoked.
Understand that you are putting policy into these rules in a way that is
not bullet proof since even a trivial open of the http socket, such as
via an nmap scan, will effectively knock the FTP port open. It would be
"better" to do something system strong at the application layer.
--Rob.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
