firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use CT target also for incomming ftp connections.

Browse Source
This commit is contained in:
Christoph 2019-02-25 01:13:58 +01:00
parent 7a024c025e
commit 19bfef7e71
2 changed files with 137 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
ip6t-firewall-server
View File

@ -1224,7 +1224,7 @@ fi
# - FTP out only" # - FTP out only"
# --- # ---
echononl "\t\tFTP out only" echononl "\t\tFTP out only (using CT target)"
# - (Re)define helper # - (Re)define helper
# - # -
@ -1238,9 +1238,13 @@ for _dev in ${ext_if_arr[@]} ; do
# - Accept (helper ftp) related connections # - Accept (helper ftp) related connections
# - # -
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
done done
echo_done
#echononl "\t\tFTP out only"
#
#for _dev in ${ext_if_arr[@]} ; do #for _dev in ${ext_if_arr[@]} ; do
# # (Datenkanal aktiv) # # (Datenkanal aktiv)
# $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT # $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
@ -1257,36 +1261,54 @@ done
# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT # $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
# fi # fi
#done #done
#
echo_done #echo_done
# --- # ---
# - FTP Server" # - FTP Server"
# --- # ---
echononl "\t\tFTP Server" echononl "\t\tFTP Server (using CT target)"
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ftp_server_ip_arr[@]} ; do for _ip in ${ftp_server_ip_arr[@]} ; do
# (Datenkanal aktiv)
$ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT # - Accept initial FTP connection
# Datenkanal (passiver modus) # -
$ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT $ip6t -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT
# - Kontrollverbindung
$ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT # - Accept (helper ftp) related connections
# -
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
done done
fi fi
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_ftp_server_ip_arr[@]} ; do for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# (Datenkanal aktiv)
$ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT # - Accept initial FTP connection
# Datenkanal (passiver modus) # -
$ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# - Kontrollverbindung
$ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# - Accept (helper ftp) related connections
# -
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
done done
fi fi
@ -1296,6 +1318,37 @@ else
fi fi
#echononl "\t\tFTP Server"
#
#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
# for _ip in ${ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
# for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
# echo_done
#else
# echo_skipped
#fi
# --- # ---
# - Mumble Service # - Mumble Service
# --- # ---

85
ipt-firewall-server
View File

@ -1508,7 +1508,7 @@ fi
# - FTP out only" # - FTP out only"
# --- # ---
echononl "\t\tFTP out only" echononl "\t\tFTP out only (using CT target)"
# - (Re)define helper # - (Re)define helper
# - # -
@ -1518,14 +1518,17 @@ for _dev in ${ext_if_arr[@]} ; do
# - Open FTP connection # - Open FTP connection
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
#
# - Accept (helper ftp) related connections # - Accept (helper ftp) related connections
# - # -
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
done done
echo_done
#echononl "\t\tFTP out only"
#
#for _dev in ${ext_if_arr[@]} ; do #for _dev in ${ext_if_arr[@]} ; do
# # (Datenkanal aktiv) # # (Datenkanal aktiv)
# $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT # $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
@ -1542,36 +1545,54 @@ done
# $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT # $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
# fi # fi
#done #done
#
echo_done #echo_done
# --- # ---
# - FTP Server" # - FTP Server"
# --- # ---
echononl "\t\tFTP Server" echononl "\t\tFTP Server (using CT target)"
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ftp_server_ip_arr[@]} ; do for _ip in ${ftp_server_ip_arr[@]} ; do
# (Datenkanal aktiv)
$ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT # - Accept initial FTP connection
# Datenkanal (passiver modus) # -
$ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT $ipt -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT
# - Kontrollverbindung
$ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT # - Accept (helper ftp) related connections
# -
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
done done
fi fi
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_ftp_server_ip_arr[@]} ; do for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# (Datenkanal aktiv)
$ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT # - Accept initial FTP connection
# Datenkanal (passiver modus) # -
$ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# - Kontrollverbindung
$ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# - Accept (helper ftp) related connections
# -
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
done done
fi fi
@ -1580,6 +1601,36 @@ else
echo_skipped echo_skipped
fi fi
#echononl "\t\tFTP Server"
#
#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
# for _ip in ${ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
# for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
# echo_done
#else
# echo_skipped
#fi
# --- # ---
# - Mumble Service # - Mumble Service