From 19bfef7e717f3c81f83b52c747c580585aab5db3 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Mon, 25 Feb 2019 01:13:58 +0100
Subject: [PATCH] Use CT target also for incomming ftp connections.

---
 ip6t-firewall-server | 85 +++++++++++++++++++++++++++++++++++---------
 ipt-firewall-server  | 85 +++++++++++++++++++++++++++++++++++---------
 2 files changed, 137 insertions(+), 33 deletions(-)

diff --git a/ip6t-firewall-server b/ip6t-firewall-server
index fe78c97..3e6c30a 100755
--- a/ip6t-firewall-server
+++ b/ip6t-firewall-server
@@ -1224,7 +1224,7 @@ fi
 # - FTP out only"
 # ---
 
-echononl "\t\tFTP out only"
+echononl "\t\tFTP out only (using CT target)"
 
 # - (Re)define helper
 # -
@@ -1238,9 +1238,13 @@ for _dev in ${ext_if_arr[@]} ; do
    # - Accept (helper ftp) related connections
    # -
    $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
-   $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
 done
 
+echo_done
+
+
+#echononl "\t\tFTP out only"
+#
 #for _dev in ${ext_if_arr[@]} ; do
 #   # (Datenkanal aktiv)
 #   $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
@@ -1257,36 +1261,54 @@ done
 #      $ip6t -A FORWARD -o $_dev -p tcp  --dport 21 -m state --state NEW -j ACCEPT
 #   fi
 #done
-
-echo_done
+#
+#echo_done
 
 
 # ---
 # - FTP Server"
 # ---
 
-echononl "\t\tFTP Server"
+echononl "\t\tFTP Server (using CT target)"
 
 if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]]  ; then
+
+   # - (Re)define helper
+   # -
+   # - !! Note: !!
+   # -    for both, local FTP server (ftp_server_ip_arr) 
+   # -    and forward to FTP server (forward_ftp_server_ip_arr)
+   # -
+   $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
+
    if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
+
       for _ip in ${ftp_server_ip_arr[@]} ; do
-            # (Datenkanal aktiv)
-            $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
-            # Datenkanal (passiver modus)
-            $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
-            # - Kontrollverbindung 
-            $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
+
+         # - Accept initial FTP connection
+         # -
+         $ip6t -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT
+
+         # - Accept (helper ftp) related connections
+         # -
+         $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
+
       done
    fi
 
    if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
+
       for _ip in ${forward_ftp_server_ip_arr[@]} ; do
-         # (Datenkanal aktiv)
-         $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
-         # Datenkanal (passiver modus)
-         $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
-         # - Kontrollverbindung
+
+         # - Accept initial FTP connection
+         # -
          $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
+
+         # - Accept (helper ftp) related connections
+         # -
+         $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
+         $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
+
       done
    fi
 
@@ -1296,6 +1318,37 @@ else
 fi
 
 
+#echononl "\t\tFTP Server"
+#
+#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]]  ; then
+#   if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
+#      for _ip in ${ftp_server_ip_arr[@]} ; do
+#            # (Datenkanal aktiv)
+#            $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
+#            # Datenkanal (passiver modus)
+#            $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
+#            # - Kontrollverbindung 
+#            $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
+#      done
+#   fi
+#
+#   if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
+#      for _ip in ${forward_ftp_server_ip_arr[@]} ; do
+#         # (Datenkanal aktiv)
+#         $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
+#         # Datenkanal (passiver modus)
+#         $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
+#         # - Kontrollverbindung
+#         $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
+#      done
+#   fi
+#
+#   echo_done
+#else
+#   echo_skipped
+#fi
+
+
 # ---
 # - Mumble Service
 # ---
diff --git a/ipt-firewall-server b/ipt-firewall-server
index 831d2e6..4e6223f 100755
--- a/ipt-firewall-server
+++ b/ipt-firewall-server
@@ -1508,7 +1508,7 @@ fi
 # - FTP out only"
 # ---
 
-echononl "\t\tFTP out only"
+echononl "\t\tFTP out only (using CT target)"
 
 # - (Re)define helper
 # -
@@ -1518,14 +1518,17 @@ for _dev in ${ext_if_arr[@]} ; do
    
    # - Open FTP connection
    $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
-#
+
    # - Accept (helper ftp) related connections
    # -
    $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
-   $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
 done
 
+echo_done
 
+
+#echononl "\t\tFTP out only"
+#
 #for _dev in ${ext_if_arr[@]} ; do
 #   # (Datenkanal aktiv)
 #   $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
@@ -1542,36 +1545,54 @@ done
 #      $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
 #   fi
 #done
-
-echo_done
+#
+#echo_done
 
 
 # ---
 # - FTP Server"
 # ---
 
-echononl "\t\tFTP Server"
+echononl "\t\tFTP Server (using CT target)"
 
 if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]]  ; then
+
+   # - (Re)define helper
+   # -
+   # - !! Note: !!
+   # -    for both, local FTP server (ftp_server_ip_arr) 
+   # -    and forward to FTP server (forward_ftp_server_ip_arr)
+   # -
+   $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
+
    if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
+
       for _ip in ${ftp_server_ip_arr[@]} ; do
-            # (Datenkanal aktiv)
-            $ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
-            # Datenkanal (passiver modus)
-            $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
-            # - Kontrollverbindung 
-            $ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
+
+         # - Accept initial FTP connection
+         # -
+         $ipt -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT
+
+         # - Accept (helper ftp) related connections
+         # -
+         $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
+
       done
    fi
 
    if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
+
       for _ip in ${forward_ftp_server_ip_arr[@]} ; do
-         # (Datenkanal aktiv)
-         $ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
-         # Datenkanal (passiver modus)
-         $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
-         # - Kontrollverbindung
+      
+         # - Accept initial FTP connection
+         # -
          $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
+
+         # - Accept (helper ftp) related connections
+         # -
+         $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
+         $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
+
       done
    fi
 
@@ -1580,6 +1601,36 @@ else
    echo_skipped
 fi
 
+#echononl "\t\tFTP Server"
+#
+#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]]  ; then
+#   if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
+#      for _ip in ${ftp_server_ip_arr[@]} ; do
+#            # (Datenkanal aktiv)
+#            $ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
+#            # Datenkanal (passiver modus)
+#            $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
+#            # - Kontrollverbindung 
+#            $ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
+#      done
+#   fi
+#
+#   if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
+#      for _ip in ${forward_ftp_server_ip_arr[@]} ; do
+#         # (Datenkanal aktiv)
+#         $ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
+#         # Datenkanal (passiver modus)
+#         $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
+#         # - Kontrollverbindung
+#         $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
+#      done
+#   fi
+#
+#   echo_done
+#else
+#   echo_skipped
+#fi
+
 
 # ---
 # - Mumble Service