diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index d333e94..202624a 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -2076,6 +2076,12 @@ else fi +# --- +# - FTP common +# --- +ftp_helper_output_defined=false +ftp_helper_prerouting_defined=false + # --- # - FTP out only # --- @@ -2090,9 +2096,13 @@ if $allow_ftp_request_out ; then # - (Re)define helper # - - $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp - if $kernel_forward_between_interfaces ; then + if ! $ftp_helper_output_defined ; then + $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_output_defined=true + fi + if $kernel_forward_between_interfaces && ! $ftp_helper_prerouting_defined ; then $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_prerouting_defined=true fi for _dev in ${ext_if_arr[@]} ; do @@ -2218,7 +2228,10 @@ if $local_ftp_service ; then # - for both, local FTP server (ftp_server_ip_arr) # - and forward to (extern) FTP server (forward_ftp_server_ip_arr) # - - $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + if ! $ftp_helper_prerouting_defined ; then + $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_prerouting_defined=true + fi # - (1) # - @@ -2252,31 +2265,97 @@ fi # --- echononl "\t\tFTP Service local Networks" + if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + + # - Used for different ftpdata recent lists 'ftp6data_local_$k' + # - + declare -i k=1 + + # - (Re)define helper + # - + if ! $ftp_helper_output_defined ; then + $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_output_defined=true + fi + if $kernel_forward_between_interfaces && ! $permit_between_local_networks && ! $ftp_helper_prerouting_defined ; then + $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_prerouting_defined=true + fi + for _ip in ${ftp_server_only_local_ip_arr[@]} ; do - $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT - if ! $permit_between_local_networks ; then - $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + # - (1) + # - + # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. + # - + $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 --sport 1024: -m state --state NEW \ + -m recent --name ftp6data_local_$k --rdest --set -j ACCEPT + + $ip6t -A FORWARD -d $_ip -p tcp --dport 21 -m state --state NEW \ + -m recent --name ftp6data_local_$k --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A OUTPUT -d $_ip -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftp6data_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + $ip6t -A FORWARD -d $_ip -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftp6data_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT fi - if $local_alias_interfaces ; then - # - Control Port - $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT - # - Data Port activ - $ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT - # - Data Port passiv - $ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT + ((k++)) + + # - Accept (helper ftp) related connections + # - + $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -d $_ip --dport 1024: -j ACCEPT + $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -s $_ip --dport 1024: -j ACCEPT fi + done - + echo_done else echo_skipped fi +#echononl "\t\tFTP Service local Networks" +#if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then +# for _ip in ${ftp_server_only_local_ip_arr[@]} ; do +# $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# +# if ! $permit_between_local_networks ; then +# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# fi +# +# if $local_alias_interfaces ; then +# # - Control Port +# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT +# $ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT +# # - Data Port activ +# $ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT +# $ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT +# # - Data Port passiv +# $ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT +# fi +# done +# +# echo_done +#else +# echo_skipped +#fi + # --- # - FTP Services DMZ diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 5083316..175c9ea 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -2761,6 +2761,12 @@ else fi +# --- +# - FTP common +# --- +ftp_helper_output_defined=false +ftp_helper_prerouting_defined=false + # --- # - FTP out only # --- @@ -2773,11 +2779,13 @@ if $allow_ftp_request_out ; then # - declare -i i=1 - # - (Re)define helper - # - - $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp - if $kernel_activate_forwarding ; then + if ! $ftp_helper_output_defined ; then + $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_output_defined=true + fi + if $kernel_activate_forwarding && ! $ftp_helper_prerouting_defined ; then $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_prerouting_defined=true fi for _dev in ${ext_if_arr[@]} ; do @@ -2902,7 +2910,10 @@ if $local_ftp_service ; then # - for both, local FTP server (ftp_server_ip_arr) # - and forward to (extern) FTP server (forward_ftp_server_ip_arr) # - - $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + if ! $ftp_helper_prerouting_defined ; then + $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_prerouting_defined=true + fi # - (1) # - @@ -2936,32 +2947,100 @@ fi # --- echononl "\t\tFTP Service local Networks" + if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + + # - Used for different ftpdata recent lists 'ftpdata_local_$k' + # - + declare -i k=1 + + # - (Re)define helper + # - + if ! $ftp_helper_output_defined ; then + $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_output_defined=true + fi + if $kernel_activate_forwarding && ! $permit_between_local_networks && ! $ftp_helper_prerouting_defined ; then + $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + ftp_helper_prerouting_defined=true + fi + for _ip in ${ftp_server_only_local_ip_arr[@]} ; do - $ipt -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT - if ! $permit_between_local_networks ; then - $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + # - (1) + # - + # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. + # - + $ipt -A OUTPUT -p tcp -d $_ip --dport 21 --sport 1024: -m state --state NEW \ + -m recent --name ftpdata_local_$k --rdest --set -j ACCEPT + + $ipt -A FORWARD -d $_ip -p tcp --dport 21 -m state --state NEW \ + -m recent --name ftpdata_local_$k --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A OUTPUT -d $_ip -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftpdata_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -d $_ip -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftpdata_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT fi - if $local_alias_interfaces ; then - # - Control Port - $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT - # - Data Port activ - $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT - # - Data Port passiv - $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT + ((k++)) + + # - Accept (helper ftp) related connections + # - + $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -d $_ip --dport 1024: -j ACCEPT + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -s $_ip --dport 1024: -j ACCEPT fi + done - + echo_done else echo_skipped fi + +#echononl "\t\tFTP Service local Networks" +#if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then +# for _ip in ${ftp_server_only_local_ip_arr[@]} ; do +# $ipt -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# +# if ! $permit_between_local_networks ; then +# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# fi +# +# if $local_alias_interfaces ; then +# # - Control Port +# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT +# $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT +# # - Data Port activ +# $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT +# $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT +# # - Data Port passiv +# $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT +# fi +# done +# +# echo_done +#else +# echo_skipped +#fi + + # --- # - FTP Services DMZ # ---