From 967aa4b9d3a9ade33dbe7b9b5ea166eaaa24cef1 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 2 Mar 2019 15:00:40 +0100 Subject: [PATCH] Fis errors concerning FTP rules. Make encrypted TLS connections to extern ftp service available. --- ip6t-firewall-gateway | 103 ++++++++++++++++++++++++++++++++++++++++-- ipt-firewall-gateway | 102 +++++++++++++++++++++++++++++++++++++++-- 2 files changed, 195 insertions(+), 10 deletions(-) diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 2021a23..d333e94 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -2084,6 +2084,10 @@ echononl "\t\tFTP out only" if $allow_ftp_request_out ; then + # - Used for different ftp6data recent lists 'ftp6data_$i' + # - + declare -i i=1 + # - (Re)define helper # - $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp @@ -2093,19 +2097,68 @@ if $allow_ftp_request_out ; then for _dev in ${ext_if_arr[@]} ; do - # - Open FTP connection - $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT + # - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'. + # - + $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \ + -m recent --name ftp6data_$i --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftp6data_$i --rdest --update --seconds 1800 --reap -j ACCEPT + + ((i++)) # - Accept (helper ftp) related connections + # - $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - # - Open FTP connection - $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + # ===== + # - + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add (!) desitnatin ip to a 'recent list' named 'ftp6data_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftp6data_$i! + # - + # - Note: + # - Use flag '--rdest' to match destination address + # - + # ===== + + # - (1) + # - + # - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'. + # - + $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW \ + -m recent --name ftp6data_$i --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A FORWARD -o $_dev -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftp6data_$i --rdest --update --seconds 1800 --reap -j ACCEPT + + ((i++)) + # - Accept (helper ftp) related connections + # - $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT @@ -2147,7 +2200,47 @@ fi echononl "\t\tFTP Service Gateway" if $local_ftp_service ; then - $ip6t -A INPUT -p tcp --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + + # ===== + # - + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftp6service! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftp6service! + # - + # ===== + + # - (Re)define helper + # - + # - !! Note: !! + # - for both, local FTP server (ftp_server_ip_arr) + # - and forward to (extern) FTP server (forward_ftp_server_ip_arr) + # - + $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6service'. + # - + $ip6t -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftp6service --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftp6service' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \ + -m recent --name ftp6service --update --seconds 1800 --reap -j ACCEPT + + # - Accept (helper ftp) related connections + # - + $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT + echo_done else echo_skipped diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 5d93451..5083316 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -2769,6 +2769,10 @@ echononl "\t\tFTP out only" if $allow_ftp_request_out ; then + # - Used for different ftpdata recent lists 'ftpdata_$i' + # - + declare -i i=1 + # - (Re)define helper # - $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp @@ -2778,19 +2782,67 @@ if $allow_ftp_request_out ; then for _dev in ${ext_if_arr[@]} ; do - # - Open FTP connection - $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT + # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. + # - + $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -m recent --name ftpdata_$i --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftpdata_$i --rdest --update --seconds 1800 --reap -j ACCEPT + + ((i++)) # - Accept (helper ftp) related connections + # - $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - # - Open FTP connection - $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + # ===== + # - + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add (!) desitnatin ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! + # - + # - Note: + # - Use flag '--rdest' to match destination address + # - + # ===== + + # - (1) + # - + # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. + # - + $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW \ + -m recent --name ftpdata_$i --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A FORWARD -o $_dev -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftpdata_$i --rdest --update --seconds 1800 --reap -j ACCEPT + + ((i++)) + # - Accept (helper ftp) related connections + # - $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT @@ -2832,7 +2884,47 @@ fi echononl "\t\tFTP Service Gateway" if $local_ftp_service ; then - $ipt -A INPUT -p tcp --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + + # ===== + # - + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftpservice! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpservice! + # - + # ===== + + # - (Re)define helper + # - + # - !! Note: !! + # - for both, local FTP server (ftp_server_ip_arr) + # - and forward to (extern) FTP server (forward_ftp_server_ip_arr) + # - + $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpservice'. + # - + $ipt -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftpservice --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftpservice' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \ + -m recent --name ftpservice --update --seconds 1800 --reap -j ACCEPT + + # - Accept (helper ftp) related connections + # - + $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT + echo_done else echo_skipped