Use CT helper for ftp rules 'FTP out only'.

2019-02-24 17:25:12 +01:00
parent f4693f3426
commit 7a024c025e
2 changed files with 86 additions and 31 deletions
--- a/41
+++ b/41
@ -1226,23 +1226,38 @@ fi

 echononl "\t\tFTP out only"

+# - (Re)define helper
+# -
+$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
+
 for _dev in ${ext_if_arr[@]} ; do
-   # (Datenkanal aktiv)
-   $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
-   # (Datenkanal passiv)
-   $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
-   # (Kontrollverbindung)
+   
+   # - Open FTP connection
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
-   if $kernel_forward_between_interfaces ; then
-      # (Datenkanal aktiv)
-      $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
-      # (Datenkanal passiv)
-      $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
-      # (Kontrollverbindung)
-      $ip6t -A FORWARD -o $_dev -p tcp  --dport 21 -m state --state NEW -j ACCEPT
-   fi
+#
+   # - Accept (helper ftp) related connections
+   # -
+   $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
+   $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
 done

+#for _dev in ${ext_if_arr[@]} ; do
+#   # (Datenkanal aktiv)
+#   $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
+#   # (Datenkanal passiv)
+#   $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
+#   # (Kontrollverbindung)
+#   $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
+#   if $kernel_forward_between_interfaces ; then
+#      # (Datenkanal aktiv)
+#      $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
+#      # (Datenkanal passiv)
+#      $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
+#      # (Kontrollverbindung)
+#      $ip6t -A FORWARD -o $_dev -p tcp  --dport 21 -m state --state NEW -j ACCEPT
+#   fi
+#done
+
 echo_done