Add support for encrypted connections 'FTP out only'.
This commit is contained in:
parent
39529f7f54
commit
3c896d7052
@ -1290,14 +1290,36 @@ echononl "\t\tFTP out only (using CT target)"
|
|||||||
# -
|
# -
|
||||||
$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
|
$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
|
||||||
|
|
||||||
|
# - Used for different ftpdata recent lists 'ftp6data_out_$j'
|
||||||
|
# -
|
||||||
|
declare -i j=1
|
||||||
|
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
|
|
||||||
# - Open FTP connection
|
# - (1)
|
||||||
$ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
|
# -
|
||||||
#
|
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
|
||||||
|
# -
|
||||||
|
$ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \
|
||||||
|
-m recent --name ftp6data_out_$j --rdest --set -j ACCEPT
|
||||||
|
|
||||||
|
# - (2)
|
||||||
|
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update)
|
||||||
|
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||||||
|
# -
|
||||||
|
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
|
||||||
|
# -
|
||||||
|
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||||
|
# -
|
||||||
|
$ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
|
||||||
|
-m recent --name ftp6data_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT
|
||||||
|
|
||||||
|
((j++))
|
||||||
|
|
||||||
# - Accept (helper ftp) related connections
|
# - Accept (helper ftp) related connections
|
||||||
# -
|
# -
|
||||||
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
|
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
@ -1333,7 +1355,7 @@ echononl "\t\tFTP Server (using CT target)"
|
|||||||
|
|
||||||
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||||
|
|
||||||
# - Used for different ftp6data recent lists 'ftp6data_$i'
|
# - Used for different ftpdata recent lists 'ftpdata_$i'
|
||||||
# -
|
# -
|
||||||
declare -i i=1
|
declare -i i=1
|
||||||
|
|
||||||
@ -1355,27 +1377,27 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
# - ======================================================
|
# - ======================================================
|
||||||
# -
|
# -
|
||||||
# - Workaround:
|
# - Workaround:
|
||||||
# - (1) add source ip to a 'recent list' named 'ftp6data_$i! if ftp control connections appear
|
# - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear
|
||||||
# - (2) accept packets of the formaly created recent list 'ftp6data_$i!
|
# - (2) accept packets of the formaly created recent list 'ftpdata_$i!
|
||||||
# -
|
# -
|
||||||
# =====
|
# =====
|
||||||
|
|
||||||
# - (1)
|
# - (1)
|
||||||
# -
|
# -
|
||||||
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6data_$i'.
|
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
|
||||||
# -
|
# -
|
||||||
$ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftp6data_$i --set -j ACCEPT
|
$ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
|
||||||
|
|
||||||
# - (2)
|
# - (2)
|
||||||
# - - Accept packets if the source ip-address is in the 'ftp6data_$i' list (--update) and the
|
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
|
||||||
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
|
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||||||
# -
|
# -
|
||||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||||
# -
|
# -
|
||||||
# - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap).
|
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||||
# -
|
# -
|
||||||
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||||
-m recent --name ftp6data_$i --update --seconds 1800 --reap -j ACCEPT
|
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||||
|
|
||||||
# - Accept (helper ftp) related connections
|
# - Accept (helper ftp) related connections
|
||||||
# -
|
# -
|
||||||
@ -1396,29 +1418,29 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
# - ======================================================
|
# - ======================================================
|
||||||
# -
|
# -
|
||||||
# - Workaround:
|
# - Workaround:
|
||||||
# - (1) add source ip to a 'recent list' named 'ftp6data_$i! if ftp control connections appear
|
# - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear
|
||||||
# - (2) accept packets of the formaly created recent list 'ftp6data_$i!
|
# - (2) accept packets of the formaly created recent list 'ftpdata_$i!
|
||||||
# -
|
# -
|
||||||
# =====
|
# =====
|
||||||
|
|
||||||
# - (1)
|
# - (1)
|
||||||
# -
|
# -
|
||||||
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6data_$i'.
|
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
|
||||||
# -
|
# -
|
||||||
$ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftp6data_$i --set -j ACCEPT
|
$ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
|
||||||
|
|
||||||
# - (2)
|
# - (2)
|
||||||
# - - Accept packets if the source ip-address is in the 'ftp6data_$i' list (--update) and the
|
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
|
||||||
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
|
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||||||
# -
|
# -
|
||||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||||
# -
|
# -
|
||||||
# - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap).
|
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||||
# -
|
# -
|
||||||
$ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
$ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||||
-m recent --name ftp6data_$i --update --seconds 1800 --reap -j ACCEPT
|
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||||
$ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
|
$ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
|
||||||
-m recent --name ftp6data_$i --update --seconds 1800 --reap -j ACCEPT
|
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||||
|
|
||||||
# - Accept (helper ftp) related connections
|
# - Accept (helper ftp) related connections
|
||||||
# -
|
# -
|
||||||
|
|||||||
@ -1574,14 +1574,36 @@ echononl "\t\tFTP out only (using CT target)"
|
|||||||
# -
|
# -
|
||||||
$ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
|
$ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
|
||||||
|
|
||||||
|
# - Used for different ftpdata recent lists 'ftpdata_out_$j'
|
||||||
|
# -
|
||||||
|
declare -i j=1
|
||||||
|
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
|
|
||||||
# - Open FTP connection
|
# - (1)
|
||||||
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
|
# -
|
||||||
|
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
|
||||||
|
# -
|
||||||
|
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \
|
||||||
|
-m recent --name ftpdata_out_$j --rdest --set -j ACCEPT
|
||||||
|
|
||||||
|
# - (2)
|
||||||
|
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$j' list (--update)
|
||||||
|
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||||||
|
# -
|
||||||
|
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
|
||||||
|
# -
|
||||||
|
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||||
|
# -
|
||||||
|
$ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
|
||||||
|
-m recent --name ftpdata_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT
|
||||||
|
|
||||||
|
((i++))
|
||||||
|
|
||||||
# - Accept (helper ftp) related connections
|
# - Accept (helper ftp) related connections
|
||||||
# -
|
# -
|
||||||
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
|
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user