Use CT target also for incomming ftp connections.
This commit is contained in:
parent
7a024c025e
commit
19bfef7e71
@ -1224,7 +1224,7 @@ fi
|
||||
# - FTP out only"
|
||||
# ---
|
||||
|
||||
echononl "\t\tFTP out only"
|
||||
echononl "\t\tFTP out only (using CT target)"
|
||||
|
||||
# - (Re)define helper
|
||||
# -
|
||||
@ -1238,9 +1238,13 @@ for _dev in ${ext_if_arr[@]} ; do
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
|
||||
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
|
||||
done
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
#echononl "\t\tFTP out only"
|
||||
#
|
||||
#for _dev in ${ext_if_arr[@]} ; do
|
||||
# # (Datenkanal aktiv)
|
||||
# $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
|
||||
@ -1257,36 +1261,54 @@ done
|
||||
# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
|
||||
# fi
|
||||
#done
|
||||
|
||||
echo_done
|
||||
#
|
||||
#echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - FTP Server"
|
||||
# ---
|
||||
|
||||
echononl "\t\tFTP Server"
|
||||
echononl "\t\tFTP Server (using CT target)"
|
||||
|
||||
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
# - (Re)define helper
|
||||
# -
|
||||
# - !! Note: !!
|
||||
# - for both, local FTP server (ftp_server_ip_arr)
|
||||
# - and forward to FTP server (forward_ftp_server_ip_arr)
|
||||
# -
|
||||
$ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
|
||||
|
||||
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _ip in ${ftp_server_ip_arr[@]} ; do
|
||||
# (Datenkanal aktiv)
|
||||
$ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
|
||||
# Datenkanal (passiver modus)
|
||||
$ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# - Kontrollverbindung
|
||||
$ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
|
||||
# - Accept initial FTP connection
|
||||
# -
|
||||
$ip6t -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT
|
||||
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||||
|
||||
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
||||
# (Datenkanal aktiv)
|
||||
$ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
|
||||
# Datenkanal (passiver modus)
|
||||
$ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# - Kontrollverbindung
|
||||
|
||||
# - Accept initial FTP connection
|
||||
# -
|
||||
$ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
@ -1296,6 +1318,37 @@ else
|
||||
fi
|
||||
|
||||
|
||||
#echononl "\t\tFTP Server"
|
||||
#
|
||||
#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
# for _ip in ${ftp_server_ip_arr[@]} ; do
|
||||
# # (Datenkanal aktiv)
|
||||
# $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
|
||||
# # Datenkanal (passiver modus)
|
||||
# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# # - Kontrollverbindung
|
||||
# $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# done
|
||||
# fi
|
||||
#
|
||||
# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||||
# for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
||||
# # (Datenkanal aktiv)
|
||||
# $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
|
||||
# # Datenkanal (passiver modus)
|
||||
# $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# # - Kontrollverbindung
|
||||
# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# done
|
||||
# fi
|
||||
#
|
||||
# echo_done
|
||||
#else
|
||||
# echo_skipped
|
||||
#fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Mumble Service
|
||||
# ---
|
||||
|
||||
@ -1508,7 +1508,7 @@ fi
|
||||
# - FTP out only"
|
||||
# ---
|
||||
|
||||
echononl "\t\tFTP out only"
|
||||
echononl "\t\tFTP out only (using CT target)"
|
||||
|
||||
# - (Re)define helper
|
||||
# -
|
||||
@ -1518,14 +1518,17 @@ for _dev in ${ext_if_arr[@]} ; do
|
||||
|
||||
# - Open FTP connection
|
||||
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
|
||||
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
|
||||
done
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
#echononl "\t\tFTP out only"
|
||||
#
|
||||
#for _dev in ${ext_if_arr[@]} ; do
|
||||
# # (Datenkanal aktiv)
|
||||
# $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
|
||||
@ -1542,36 +1545,54 @@ done
|
||||
# $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
|
||||
# fi
|
||||
#done
|
||||
|
||||
echo_done
|
||||
#
|
||||
#echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - FTP Server"
|
||||
# ---
|
||||
|
||||
echononl "\t\tFTP Server"
|
||||
echononl "\t\tFTP Server (using CT target)"
|
||||
|
||||
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
# - (Re)define helper
|
||||
# -
|
||||
# - !! Note: !!
|
||||
# - for both, local FTP server (ftp_server_ip_arr)
|
||||
# - and forward to FTP server (forward_ftp_server_ip_arr)
|
||||
# -
|
||||
$ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
|
||||
|
||||
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _ip in ${ftp_server_ip_arr[@]} ; do
|
||||
# (Datenkanal aktiv)
|
||||
$ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
|
||||
# Datenkanal (passiver modus)
|
||||
$ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# - Kontrollverbindung
|
||||
$ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
|
||||
# - Accept initial FTP connection
|
||||
# -
|
||||
$ipt -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT
|
||||
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
||||
|
||||
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
||||
# (Datenkanal aktiv)
|
||||
$ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
|
||||
# Datenkanal (passiver modus)
|
||||
$ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# - Kontrollverbindung
|
||||
|
||||
# - Accept initial FTP connection
|
||||
# -
|
||||
$ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
@ -1580,6 +1601,36 @@ else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
#echononl "\t\tFTP Server"
|
||||
#
|
||||
#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
# for _ip in ${ftp_server_ip_arr[@]} ; do
|
||||
# # (Datenkanal aktiv)
|
||||
# $ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
|
||||
# # Datenkanal (passiver modus)
|
||||
# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# # - Kontrollverbindung
|
||||
# $ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# done
|
||||
# fi
|
||||
#
|
||||
# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
||||
# for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
||||
# # (Datenkanal aktiv)
|
||||
# $ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
|
||||
# # Datenkanal (passiver modus)
|
||||
# $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# # - Kontrollverbindung
|
||||
# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# done
|
||||
# fi
|
||||
#
|
||||
# echo_done
|
||||
#else
|
||||
# echo_skipped
|
||||
#fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Mumble Service
|
||||
|
||||
Loading…
Reference in New Issue
Block a user