Fix error for ftp server rules.
This commit is contained in:
parent
bd4f24b244
commit
45b3274c03
@ -1333,6 +1333,10 @@ echononl "\t\tFTP Server (using CT target)"
|
||||
|
||||
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
# - Used for different ftpdata recent lists 'ftpdata_$i'
|
||||
# -
|
||||
declare -i i=1
|
||||
|
||||
# - (Re)define helper
|
||||
# -
|
||||
# - !! Note: !!
|
||||
@ -1345,29 +1349,83 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
||||
|
||||
for _ip in ${ftp_server_ip_arr[@]} ; do
|
||||
|
||||
# - Accept initial FTP connection
|
||||
# =====
|
||||
# -
|
||||
$ip6t -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT
|
||||
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
||||
# - ======================================================
|
||||
# -
|
||||
# - Workaround:
|
||||
# - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear
|
||||
# - (2) accept packets of the formaly created recent list 'ftpdata_$i!
|
||||
# -
|
||||
# =====
|
||||
|
||||
# - (1)
|
||||
# -
|
||||
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
|
||||
# -
|
||||
$ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
|
||||
|
||||
# - (2)
|
||||
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
|
||||
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||||
# -
|
||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||
# -
|
||||
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||
# -
|
||||
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
|
||||
((i++))
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||||
|
||||
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
||||
|
||||
# - Accept initial FTP connection
|
||||
|
||||
# =====
|
||||
# -
|
||||
$ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
||||
# - ======================================================
|
||||
# -
|
||||
# - Workaround:
|
||||
# - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear
|
||||
# - (2) accept packets of the formaly created recent list 'ftpdata_$i!
|
||||
# -
|
||||
# =====
|
||||
|
||||
# - (1)
|
||||
# -
|
||||
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
|
||||
# -
|
||||
$ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
|
||||
|
||||
# - (2)
|
||||
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
|
||||
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||||
# -
|
||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||
# -
|
||||
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||
# -
|
||||
$ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||
$ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
|
||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT
|
||||
|
||||
((i++))
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
@ -135,6 +135,10 @@ forward_private_ips=""
|
||||
# -
|
||||
http_ports="80,443"
|
||||
|
||||
# - FTP Servers Passive Portrange
|
||||
# -
|
||||
ftp_passive_port_range="50000:50400"
|
||||
|
||||
# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
|
||||
# -
|
||||
mail_user_ports="587,465,110,995,143,993"
|
||||
|
||||
@ -1617,6 +1617,9 @@ echononl "\t\tFTP Server (using CT target)"
|
||||
|
||||
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
# - Used for different ftpdata recent lists 'ftpdata_$i'
|
||||
declare -i i=1
|
||||
|
||||
# - (Re)define helper
|
||||
# -
|
||||
# - !! Note: !!
|
||||
@ -1629,14 +1632,40 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
||||
|
||||
for _ip in ${ftp_server_ip_arr[@]} ; do
|
||||
|
||||
# - Accept initial FTP connection
|
||||
# =====
|
||||
# -
|
||||
$ipt -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT
|
||||
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
||||
# - ======================================================
|
||||
# -
|
||||
# - Workaround:
|
||||
# - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear
|
||||
# - (2) accept packets of the formaly created recent list 'ftpdata_$i!
|
||||
# -
|
||||
# =====
|
||||
|
||||
# - (1)
|
||||
# -
|
||||
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
|
||||
# -
|
||||
$ipt -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
|
||||
|
||||
# - (2)
|
||||
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
|
||||
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||||
# -
|
||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||
# -
|
||||
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||
# -
|
||||
$ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
|
||||
((i++))
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
@ -1644,14 +1673,42 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
||||
|
||||
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
||||
|
||||
# - Accept initial FTP connection
|
||||
# =====
|
||||
# -
|
||||
$ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
||||
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
||||
# - ======================================================
|
||||
# -
|
||||
# - Workaround:
|
||||
# - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear
|
||||
# - (2) accept packets of the formaly created recent list 'ftpdata_$i!
|
||||
# -
|
||||
# =====
|
||||
|
||||
# - (1)
|
||||
# -
|
||||
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
|
||||
# -
|
||||
$ipt -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
|
||||
|
||||
# - (2)
|
||||
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
|
||||
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||||
# -
|
||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||
# -
|
||||
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||
# -
|
||||
$ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||
$ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
|
||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||
|
||||
# - Accept (helper ftp) related connections
|
||||
# -
|
||||
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
$ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
|
||||
$ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT
|
||||
|
||||
((i++))
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
@ -135,6 +135,10 @@ forward_private_ips=""
|
||||
# -
|
||||
http_ports="80,443"
|
||||
|
||||
# - FTP Servers Passive Portrange
|
||||
# -
|
||||
ftp_passive_port_range="50000:50400"
|
||||
|
||||
# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
|
||||
# -
|
||||
mail_user_ports="587,465,110,995,143,993"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user