diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 48939a5..fe78c97 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -1226,23 +1226,38 @@ fi echononl "\t\tFTP out only" +# - (Re)define helper +# - +$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + for _dev in ${ext_if_arr[@]} ; do - # (Datenkanal aktiv) - $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT - # (Datenkanal passiv) - $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT - # (Kontrollverbindung) + + # - Open FTP connection $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT - if $kernel_forward_between_interfaces ; then - # (Datenkanal aktiv) - $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT - # (Datenkanal passiv) - $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT - # (Kontrollverbindung) - $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT - fi +# + # - Accept (helper ftp) related connections + # - + $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT done +#for _dev in ${ext_if_arr[@]} ; do +# # (Datenkanal aktiv) +# $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# # (Datenkanal passiv) +# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# # (Kontrollverbindung) +# $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# if $kernel_forward_between_interfaces ; then +# # (Datenkanal aktiv) +# $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# # (Datenkanal passiv) +# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# # (Kontrollverbindung) +# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# fi +#done + echo_done diff --git a/ipt-firewall-server b/ipt-firewall-server index e7660d5..831d2e6 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -34,12 +34,36 @@ if ! $host_is_vm ; then # - net.netfilter.nf_conntrack_helper = 1 # - # - Reboot or type "sysctl -p" + # - + # - !! But this is NOT the recommend method !! - ## - Load module for FTP Connection tracking and NAT - ## - - /sbin/modprobe ip_conntrack > /dev/null 2>&1 - /sbin/modprobe ip_conntrack_ftp > /dev/null 2>&1 - /sbin/modprobe ip_nat_ftp > /dev/null 2>&1 + # --- + # - Load module for FTP Connection tracking and NAT + # --- + + # - Once a helper is loaded, it will treat packets for a given port and all IP addresses. + # - As explained before, this is not optimal and is even a security risk. A better + # - solution is to load the module helper and deactivate their parsing by default. Each + # - helper we need to use is then set by using a call to the CT target. + # - + # - Desactivate the automatic conntrack helper assignment: + # - + # - method 1: modprobe nf_conntrack nf_conntrack_helper=0 + # - method 2: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper + # - + # - Note: + # - ===== + # - Each helper we need to use is then set by using a call to the CT target. + # - Example for ftp helper on standardport: + # - + # - ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + # - + /sbin/modprobe nf_conntrack nf_conntrack_helper=0 > /dev/null 2>&1 + #echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper + + /sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1 + /sbin/modprobe nf_nat > /dev/null 2>&1 + /sbin/modprobe nf_nat_ftp > /dev/null 2>&1 ## - Load modules for SIP VOIP ## - @@ -1486,23 +1510,39 @@ fi echononl "\t\tFTP out only" +# - (Re)define helper +# - +$ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + for _dev in ${ext_if_arr[@]} ; do - # (Datenkanal aktiv) - $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT - # (Datenkanal passiv) - $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT - # (Kontrollverbindung) + + # - Open FTP connection $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT - if $kernel_activate_forwarding ; then - # (Datenkanal aktiv) - $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT - # (Datenkanal passiv) - $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT - # (Kontrollverbindung) - $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT - fi +# + # - Accept (helper ftp) related connections + # - + $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT done + +#for _dev in ${ext_if_arr[@]} ; do +# # (Datenkanal aktiv) +# $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# # (Datenkanal passiv) +# $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# # (Kontrollverbindung) +# $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# if $kernel_activate_forwarding ; then +# # (Datenkanal aktiv) +# $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# # (Datenkanal passiv) +# $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# # (Kontrollverbindung) +# $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# fi +#done + echo_done