firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fis errors concerning FTP rules. Make encrypted TLS connections to extern ftp service available.

Browse Source
This commit is contained in:
Christoph 2019-03-02 15:00:40 +01:00
parent b697715679
commit 967aa4b9d3
2 changed files with 195 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
ip6t-firewall-gateway
View File

@ -2084,6 +2084,10 @@ echononl "\t\tFTP out only"
if $allow_ftp_request_out ; then if $allow_ftp_request_out ; then
# - Used for different ftp6data recent lists 'ftp6data_$i'
# -
declare -i i=1
# - (Re)define helper # - (Re)define helper
# - # -
$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
@ -2093,19 +2097,68 @@ if $allow_ftp_request_out ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
# - Open FTP connection # - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'.
$ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT # -
$ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \
-m recent --name ftp6data_$i --rdest --set -j ACCEPT
# - (2)
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update)
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
# -
# - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap).
# -
$ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftp6data_$i --rdest --update --seconds 1800 --reap -j ACCEPT
((i++))
# - Accept (helper ftp) related connections # - Accept (helper ftp) related connections
# -
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
# - Open FTP connection # =====
$ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT # -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
# - ======================================================
# -
# - Workaround:
# - (1) add (!) desitnatin ip to a 'recent list' named 'ftp6data_$i! if ftp control connections appear
# - (2) accept packets of the formaly created recent list 'ftp6data_$i!
# -
# - Note:
# - Use flag '--rdest' to match destination address
# -
# =====
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'.
# -
$ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW \
-m recent --name ftp6data_$i --rdest --set -j ACCEPT
# - (2)
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update)
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
# -
# - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap).
# -
$ip6t -A FORWARD -o $_dev -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftp6data_$i --rdest --update --seconds 1800 --reap -j ACCEPT
((i++))
# - Accept (helper ftp) related connections # - Accept (helper ftp) related connections
# -
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
@ -2147,7 +2200,47 @@ fi
echononl "\t\tFTP Service Gateway" echononl "\t\tFTP Service Gateway"
if $local_ftp_service ; then if $local_ftp_service ; then
$ip6t -A INPUT -p tcp --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
# - ======================================================
# -
# - Workaround:
# - (1) add source ip to a 'recent list' named 'ftp6service! if ftp control connections appear
# - (2) accept packets of the formaly created recent list 'ftp6service!
# -
# =====
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to (extern) FTP server (forward_ftp_server_ip_arr)
# -
$ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
# - (1)
# -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6service'.
# -
$ip6t -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftp6service --set -j ACCEPT
# - (2)
# - - Accept packets if the source ip-address is in the 'ftp6service' list (--update) and the
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \
-m recent --name ftp6service --update --seconds 1800 --reap -j ACCEPT
# - Accept (helper ftp) related connections
# -
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
echo_done echo_done
else else
echo_skipped echo_skipped

102
ipt-firewall-gateway
View File

@ -2769,6 +2769,10 @@ echononl "\t\tFTP out only"
if $allow_ftp_request_out ; then if $allow_ftp_request_out ; then
# - Used for different ftpdata recent lists 'ftpdata_$i'
# -
declare -i i=1
# - (Re)define helper # - (Re)define helper
# - # -
$ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
@ -2778,19 +2782,67 @@ if $allow_ftp_request_out ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
# - Open FTP connection # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'.
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT # -
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -m recent --name ftpdata_$i --rdest --set -j ACCEPT
# - (2)
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update)
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftpdata_$i --rdest --update --seconds 1800 --reap -j ACCEPT
((i++))
# - Accept (helper ftp) related connections # - Accept (helper ftp) related connections
# -
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
# - Open FTP connection # =====
$ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT # -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
# - ======================================================
# -
# - Workaround:
# - (1) add (!) desitnatin ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear
# - (2) accept packets of the formaly created recent list 'ftpdata_$i!
# -
# - Note:
# - Use flag '--rdest' to match destination address
# -
# =====
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'.
# -
$ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW \
-m recent --name ftpdata_$i --rdest --set -j ACCEPT
# - (2)
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update)
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ipt -A FORWARD -o $_dev -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftpdata_$i --rdest --update --seconds 1800 --reap -j ACCEPT
((i++))
# - Accept (helper ftp) related connections # - Accept (helper ftp) related connections
# -
$ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
$ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
@ -2832,7 +2884,47 @@ fi
echononl "\t\tFTP Service Gateway" echononl "\t\tFTP Service Gateway"
if $local_ftp_service ; then if $local_ftp_service ; then
$ipt -A INPUT -p tcp --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
# - ======================================================
# -
# - Workaround:
# - (1) add source ip to a 'recent list' named 'ftpservice! if ftp control connections appear
# - (2) accept packets of the formaly created recent list 'ftpservice!
# -
# =====
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to (extern) FTP server (forward_ftp_server_ip_arr)
# -
$ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
# - (1)
# -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpservice'.
# -
$ipt -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftpservice --set -j ACCEPT
# - (2)
# - - Accept packets if the source ip-address is in the 'ftpservice' list (--update) and the
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ipt -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \
-m recent --name ftpservice --update --seconds 1800 --reap -j ACCEPT
# - Accept (helper ftp) related connections
# -
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
echo_done echo_done
else else
echo_skipped echo_skipped