Iptables: `nf_conntrack_ftp` not working under debian
As suggested by @meuh in a comment, I had a look at the documentation hosted at https://home.regit.org/netfilter-en/secure-use-of-helpers/.
The paragraph "Using the CT target to refine security" explains:
One classic problem with helpers is the fact that helpers listen on predefined ports. If a service does not run on standard port, it is necessary to declare it. Before 2.6.34, the only method to do so was to use a module option. This was resulting in having a systematic parsing of the added port by the chosen helper. This was clearly suboptimal and the CT target has been introduced in 2.6.34. It allows to specify what helper to use for a specific flow. For example, let’s say we have a FTP server on IP address 1.2.3.4 running on port 2121.
To declare it, we can simply do
iptables -A PREROUTING -t raw -p tcp --dport 2121 \\ -d 1.2.3.4 -j CT --helper ftp
It's not my case (since I'm using a regular port 21 for it) but still it seems to work if one wants to enable the ftp helper for inbound connections.
iptables -A PREROUTING -t raw -p tcp -m tcp --dport 21 -j CT --helper ftp
My (working) configuration is now:
# Generated by iptables-save v1.4.21 on Sat Aug 12 17:39:53 2017
*raw
:PREROUTING ACCEPT [445:37346]
:OUTPUT ACCEPT [375:44051]
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
COMMIT
# Completed on Sat Aug 12 17:39:53 2017
# Generated by iptables-save v1.4.21 on Sat Aug 12 17:39:53 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [169:17775]
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Aug 12 17:39:53 2017
It is probably worth noting how the document suggests to be wary of this kind of configuration, since the behaviour of the firewall depends on the user input.
I'm wondering if there are risks by facing a FTP server on the Open Internet in this way. In general FTP is known not to be the best protocol in terms of security, anyway…
Related videos on Youtube
Dacav
I’m a Computer Scientist and Programmer; I like to hack source code and find elegant software solutions to problems. I believe that a good programmer isn’t just someone who’s proficient with many languages, but someone who knows how to solve a problem. Still, if you know many languages you have better chances to pick the right tool when it’s time to put hands on, so I learned a lot of them. Apart from Computer Science, I’m also a Tai-Chi-Chuan student, an amateur tea connoisseur, and I like reading.
Updated on September 18, 2022Comments
-
Dacav over 1 year
I've installed debian (on my raspberry, but the question is quite generic):
Linux raspberrypi 4.9.28+ #998 Mon May 15 16:50:35 BST 2017 armv6l GNU/Linux
And I'm trying to set up a simple anonymous and plaintext (no SSL) FTP server on it (vsftpd). The TCP port is the regular 21 FTP port, and I'm going to allow only passive mode.
I would like to have a strict firewall configuration, so I'm allowing in only ssh and the aforementioned FTP server.
For this purpose I'm using the
conntrack
module to allow only legit inbound connections. For this reason I loaded withmodprobe
thenf_conntrack_ftp
module:modprobe nf_conntrack_ftp
My iptables configuration:
# Generated by iptables-save v1.4.21 on Sat Aug 12 15:50:44 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [108:11273] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -j DROP COMMIT # Completed on Sat Aug 12 15:50:44 2017
With this configuration I'm not able to get the passive data connection to work properly.
I've both set up a tcpdump and added a
-A INPUT j LOG
rule just before the-A INPUT -j DROP
: I can clearly see the inbound packets for the Iptablespassive data connection to be logged and rejected.Some time ago I did pretty much the same setup on a Centos7 machine, where it worked correctly. Am I missing something important?
Thanks for any help :)
-
Hauke Laging over 6 yearsYou can check with
conntrack -L conntrack ; conntrack -L expect
whethernf_conntrack_ftp
sets up the necessary entry. -
meuh over 6 yearsI don't know if it applies but automatic helper assignment is deprecated, so check your dmesg log and perhaps you need to follow the advice in the link and have another rule for your RELATED ftp connections.
-
Dacav over 6 years@HaukeLaging Apparently there's no expectation appearing in there. I can see the control connection getting in from the
conntrack
table. Checking dmesg as suggested by @meuh
-
-
jonhattan about 6 yearsyou are missing
-t raw
in youriptables -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-
telcoM almost 6 yearsThe automatic helper assignment for the netfilter modules was made optional in kernel 3.5 and later disabled by default because some evil people found a way to abuse it. Now the recommended practice is to declare any required helpers explicitly on ports that need them.