diff --git a/conf/load_modules_ipv4.conf b/conf/load_modules_ipv4.conf index bc383f0..e80a671 100644 --- a/conf/load_modules_ipv4.conf +++ b/conf/load_modules_ipv4.conf @@ -21,7 +21,7 @@ iptable_raw # - Load base modules for tracking # - -nf_conntrack +nf_conntrack nf_conntrack_helper=0 nf_nat # - Load module for FTP Connection tracking and NAT diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 54ea3ed..2021a23 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -2083,26 +2083,62 @@ fi echononl "\t\tFTP out only" if $allow_ftp_request_out ; then + + # - (Re)define helper + # - + $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + if $kernel_forward_between_interfaces ; then + $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + fi + for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT - # - Allow active FTP connections from local network - # - - #$ip6t -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT + + # - Open FTP connection + $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT + + # - Accept (helper ftp) related connections + $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT + + # - Open FTP connection + $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + + # - Accept (helper ftp) related connections + $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT + fi - # - Allow active FTP connections from local network - # - - $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT + done echo_done else - echo_done + echo_skipped fi +#if $allow_ftp_request_out ; then +# for _dev in ${ext_if_arr[@]} ; do +# $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT +# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# # - Allow active FTP connections from local network +# # - +# #$ip6t -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT +# if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then +# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT +# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# fi +# # - Allow active FTP connections from local network +# # - +# $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT +# done +# +# echo_done +#else +# echo_done +#fi + # --- # - FTP Service Gateway diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index ebb6356..5d93451 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -2768,26 +2768,62 @@ fi echononl "\t\tFTP out only" if $allow_ftp_request_out ; then + + # - (Re)define helper + # - + $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + if $kernel_activate_forwarding ; then + $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + fi + for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT - # - Allow active FTP connections from local network - # - - #$ipt -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT + + # - Open FTP connection + $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT + + # - Accept (helper ftp) related connections + $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT + + # - Open FTP connection + $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + + # - Accept (helper ftp) related connections + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT + fi - # - Allow active FTP connections from local network - # - - $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT + done echo_done else - echo_done + echo_skipped fi +#if $allow_ftp_request_out ; then +# for _dev in ${ext_if_arr[@]} ; do +# $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT +# $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# # - Allow active FTP connections from local network +# # - +# $ipt -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT +# if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then +# $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT +# $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# fi +# # - Allow active FTP connections from local network +# # - +# $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT +# done +# +# echo_done +#else +# echo_done +#fi + # --- # - FTP Service Gateway