firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for encrypted connections 'FTP out only'.

Browse Source
This commit is contained in:
Christoph
2019-03-02 21:48:13 +01:00
parent 39529f7f54
commit 3c896d7052
2 changed files with 65 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
ipt-firewall-server
View File

@ -1574,14 +1574,36 @@ echononl "\t\tFTP out only (using CT target)"
# -
$ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
# - Used for different ftpdata recent lists 'ftpdata_out_$j'
# -
declare -i j=1
for _dev in ${ext_if_arr[@]} ; do
# - Open FTP connection
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
# -
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \
-m recent --name ftpdata_out_$j --rdest --set -j ACCEPT
# - (2)
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$j' list (--update)
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftpdata_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT
((i++))
# - Accept (helper ftp) related connections
# -
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
done
echo_done