From 45b3274c03d80f4fa140a68809bc989b45591e65 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 2 Mar 2019 04:50:40 +0100 Subject: [PATCH] Fix error for ftp server rules. --- ip6t-firewall-server | 72 ++++++++++++++++++++++++++++---- ip6t-firewall-server.conf.sample | 4 ++ ipt-firewall-server | 69 +++++++++++++++++++++++++++--- ipt-firewall-server.conf.sample | 4 ++ 4 files changed, 136 insertions(+), 13 deletions(-) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 8769d2f..ef7ba3e 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -1333,6 +1333,10 @@ echononl "\t\tFTP Server (using CT target)" if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then + # - Used for different ftpdata recent lists 'ftpdata_$i' + # - + declare -i i=1 + # - (Re)define helper # - # - !! Note: !! @@ -1345,29 +1349,83 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - for _ip in ${ftp_server_ip_arr[@]} ; do - # - Accept initial FTP connection + # ===== # - - $ip6t -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! + # - + # ===== + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. + # - + $ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT # - Accept (helper ftp) related connections # - $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + ((i++)) + done fi if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_ftp_server_ip_arr[@]} ; do - - # - Accept initial FTP connection + + # ===== # - - $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! + # - + # ===== + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. + # - + $ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + $ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT # - Accept (helper ftp) related connections # - - $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT - $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT + + ((i++)) done fi diff --git a/ip6t-firewall-server.conf.sample b/ip6t-firewall-server.conf.sample index ee315e7..1ef9fb4 100644 --- a/ip6t-firewall-server.conf.sample +++ b/ip6t-firewall-server.conf.sample @@ -135,6 +135,10 @@ forward_private_ips="" # - http_ports="80,443" +# - FTP Servers Passive Portrange +# - +ftp_passive_port_range="50000:50400" + # - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) # - mail_user_ports="587,465,110,995,143,993" diff --git a/ipt-firewall-server b/ipt-firewall-server index 3278bec..6523606 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1617,6 +1617,9 @@ echononl "\t\tFTP Server (using CT target)" if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then + # - Used for different ftpdata recent lists 'ftpdata_$i' + declare -i i=1 + # - (Re)define helper # - # - !! Note: !! @@ -1629,14 +1632,40 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - for _ip in ${ftp_server_ip_arr[@]} ; do - # - Accept initial FTP connection + # ===== # - - $ipt -A INPUT -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW -j ACCEPT + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! + # - + # ===== + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. + # - + $ipt -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT # - Accept (helper ftp) related connections # - $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + ((i++)) + done fi @@ -1644,14 +1673,42 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - for _ip in ${forward_ftp_server_ip_arr[@]} ; do - # - Accept initial FTP connection + # ===== # - - $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! + # - + # ===== + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. + # - + $ipt -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + $ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT # - Accept (helper ftp) related connections # - - $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT - $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT + + ((i++)) done fi diff --git a/ipt-firewall-server.conf.sample b/ipt-firewall-server.conf.sample index 2a3dd9f..50a04f8 100644 --- a/ipt-firewall-server.conf.sample +++ b/ipt-firewall-server.conf.sample @@ -135,6 +135,10 @@ forward_private_ips="" # - http_ports="80,443" +# - FTP Servers Passive Portrange +# - +ftp_passive_port_range="50000:50400" + # - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) # - mail_user_ports="587,465,110,995,143,993"