Iptables: `nf_conntrack_ftp` not working under debian

debian iptables raspberry-pi ftp

5,783

As suggested by @meuh in a comment, I had a look at the documentation hosted at https://home.regit.org/netfilter-en/secure-use-of-helpers/.

The paragraph "Using the CT target to refine security" explains:

One classic problem with helpers is the fact that helpers listen on predefined ports. If a service does not run on standard port, it is necessary to declare it. Before 2.6.34, the only method to do so was to use a module option. This was resulting in having a systematic parsing of the added port by the chosen helper. This was clearly suboptimal and the CT target has been introduced in 2.6.34. It allows to specify what helper to use for a specific flow. For example, let’s say we have a FTP server on IP address 1.2.3.4 running on port 2121.

To declare it, we can simply do
iptables -A PREROUTING -t raw -p tcp --dport 2121 \\
       -d 1.2.3.4 -j CT --helper ftp

It's not my case (since I'm using a regular port 21 for it) but still it seems to work if one wants to enable the ftp helper for inbound connections.

iptables -A PREROUTING -t raw -p tcp -m tcp --dport 21 -j CT --helper ftp

My (working) configuration is now:

# Generated by iptables-save v1.4.21 on Sat Aug 12 17:39:53 2017
*raw
:PREROUTING ACCEPT [445:37346]
:OUTPUT ACCEPT [375:44051]
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
COMMIT
# Completed on Sat Aug 12 17:39:53 2017
# Generated by iptables-save v1.4.21 on Sat Aug 12 17:39:53 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [169:17775]
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Aug 12 17:39:53 2017

It is probably worth noting how the document suggests to be wary of this kind of configuration, since the behaviour of the firewall depends on the user input.

I'm wondering if there are risks by facing a FTP server on the Open Internet in this way. In general FTP is known not to be the best protocol in terms of security, anyway…

5,783

Dacav

I’m a Computer Scientist and Programmer; I like to hack source code and find elegant software solutions to problems. I believe that a good programmer isn’t just someone who’s proficient with many languages, but someone who knows how to solve a problem. Still, if you know many languages you have better chances to pick the right tool when it’s time to put hands on, so I learned a lot of them. Apart from Computer Science, I’m also a Tai-Chi-Chuan student, an amateur tea connoisseur, and I like reading.

Updated on September 18, 2022

Comments

Dacav over 1 year
I've installed debian (on my raspberry, but the question is quite generic):
```
Linux raspberrypi 4.9.28+ #998 Mon May 15 16:50:35 BST 2017 armv6l GNU/Linux
```
And I'm trying to set up a simple anonymous and plaintext (no SSL) FTP server on it (vsftpd). The TCP port is the regular 21 FTP port, and I'm going to allow only passive mode.

I would like to have a strict firewall configuration, so I'm allowing in only ssh and the aforementioned FTP server.

For this purpose I'm using the conntrack module to allow only legit inbound connections. For this reason I loaded with modprobe the nf_conntrack_ftp module:
```
modprobe nf_conntrack_ftp
```
My iptables configuration:
```
# Generated by iptables-save v1.4.21 on Sat Aug 12 15:50:44 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [108:11273]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Aug 12 15:50:44 2017
```
With this configuration I'm not able to get the passive data connection to work properly.

I've both set up a tcpdump and added a -A INPUT j LOG rule just before the -A INPUT -j DROP: I can clearly see the inbound packets for the Iptablespassive data connection to be logged and rejected.

Some time ago I did pretty much the same setup on a Centos7 machine, where it worked correctly. Am I missing something important?

Thanks for any help :)
- Hauke Laging over 6 years
  
  You can check with conntrack -L conntrack ; conntrack -L expect whether nf_conntrack_ftp sets up the necessary entry.
- meuh over 6 years
  
  I don't know if it applies but automatic helper assignment is deprecated, so check your dmesg log and perhaps you need to follow the advice in the link and have another rule for your RELATED ftp connections.
- Dacav over 6 years
  
  @HaukeLaging Apparently there's no expectation appearing in there. I can see the control connection getting in from the conntrack table. Checking dmesg as suggested by @meuh
jonhattan about 6 years

you are missing -t raw in your iptables -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
telcoM almost 6 years

The automatic helper assignment for the netfilter modules was made optional in kernel 3.5 and later disabled by default because some evil people found a way to abuse it. Now the recommended practice is to declare any required helpers explicitly on ports that need them.