From 3c896d7052535385efd731050b363d5ca0eec418 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 2 Mar 2019 21:48:13 +0100 Subject: [PATCH] Add support for encrypted connections 'FTP out only'. --- ip6t-firewall-server | 60 ++++++++++++++++++++++++++++++-------------- ipt-firewall-server | 26 +++++++++++++++++-- 2 files changed, 65 insertions(+), 21 deletions(-) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 2c60599..117e719 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -1290,14 +1290,36 @@ echononl "\t\tFTP out only (using CT target)" # - $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp +# - Used for different ftpdata recent lists 'ftp6data_out_$j' +# - +declare -i j=1 + for _dev in ${ext_if_arr[@]} ; do - # - Open FTP connection - $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT -# + # - (1) + # - + # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. + # - + $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \ + -m recent --name ftp6data_out_$j --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftp6data_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT + + ((j++)) + # - Accept (helper ftp) related connections # - $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + done echo_done @@ -1333,7 +1355,7 @@ echononl "\t\tFTP Server (using CT target)" if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then - # - Used for different ftp6data recent lists 'ftp6data_$i' + # - Used for different ftpdata recent lists 'ftpdata_$i' # - declare -i i=1 @@ -1355,27 +1377,27 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - ====================================================== # - # - Workaround: - # - (1) add source ip to a 'recent list' named 'ftp6data_$i! if ftp control connections appear - # - (2) accept packets of the formaly created recent list 'ftp6data_$i! + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! # - # ===== # - (1) # - - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6data_$i'. + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - - $ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftp6data_$i --set -j ACCEPT + $ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT # - (2) - # - - Accept packets if the source ip-address is in the 'ftp6data_$i' list (--update) and the + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the # - source ip-address was seen within the last 1800 seconds (--seconds 1800). # - # - - If matched, the "last seen" timestamp of the source address will be updated (--update). # - - # - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap). + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - $ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ - -m recent --name ftp6data_$i --update --seconds 1800 --reap -j ACCEPT + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT # - Accept (helper ftp) related connections # - @@ -1396,29 +1418,29 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - ====================================================== # - # - Workaround: - # - (1) add source ip to a 'recent list' named 'ftp6data_$i! if ftp control connections appear - # - (2) accept packets of the formaly created recent list 'ftp6data_$i! + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! # - # ===== # - (1) # - - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6data_$i'. + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - - $ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftp6data_$i --set -j ACCEPT + $ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT # - (2) - # - - Accept packets if the source ip-address is in the 'ftp6data_$i' list (--update) and the + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the # - source ip-address was seen within the last 1800 seconds (--seconds 1800). # - # - - If matched, the "last seen" timestamp of the source address will be updated (--update). # - - # - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap). + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - $ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ - -m recent --name ftp6data_$i --update --seconds 1800 --reap -j ACCEPT + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT $ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ - -m recent --name ftp6data_$i --update --seconds 1800 --reap -j ACCEPT + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT # - Accept (helper ftp) related connections # - diff --git a/ipt-firewall-server b/ipt-firewall-server index 6523606..05f4cf3 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1574,14 +1574,36 @@ echononl "\t\tFTP out only (using CT target)" # - $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp +# - Used for different ftpdata recent lists 'ftpdata_out_$j' +# - +declare -i j=1 + for _dev in ${ext_if_arr[@]} ; do - # - Open FTP connection - $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT + # - (1) + # - + # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. + # - + $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \ + -m recent --name ftpdata_out_$j --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$j' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftpdata_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT + + ((i++)) # - Accept (helper ftp) related connections # - $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + done echo_done