Re: [Gutl-l] Sobre netfilter y los TTL

Fri, 29 Jul 2016 20:12:07 -0700 

El mié, 27-07-2016 a las 09:06 -0500, Wilfredo Martínez Consuegra
escribió:
> Moya saludos
> podrías compartir la información que hay en el enlace?
> no cuento con internet.
> [1]: https://serverfault.com/a/426891/73788
> 
> saludos
> 
> whilo
> 
> --
> 
> M.Sc. Wilfredo Martínez Consuegra.
> Especialista en Recursos Humanos
> Empresa Constructora de Obras para el Turismo
> Cayo Santa María, Villa Clara
> 
> Trabajo:
> (+53)42350148
> wilfr...@ecotsm.co.cu
> 
> Personal:
> (+53) 53 664 665
> wh...@nauta.cu 
> 
> 
> -----Mensaje original-----
> De: gutl-l-boun...@jovenclub.cu [mailto:gutl-l-boun...@jovenclub.cu] En 
> nombre de Maykel Moya
> Enviado el: martes, 26 de julio de 2016 17:48
> Para: Lista cubana de soporte técnico en Tecnologias Libres
> Asunto: Re: [Gutl-l] Sobre netfilter y los TTL
> 
> On 26/07/16 07:27, Hugo Florentino wrote:
> 
> Hola, Hugo
> 
> > Netfilter tiene el destino TTL con la opción --ttl-set que pareciera 
> > que serviría, pero lamentablemente tiene poco o nada que ver con el 
> > tiempo de vida del paquete en segundos, pues en su lugar establece los 
> > saltos máximos permitidos a través de enrutadores.
> 
> En efecto, el nombre 'TTL' fue desafortunado pues se trata de la cantidad de 
> saltos y no de una unidad de tiempo.
> 
> > Concretamente, me gustaría lograr que los paquetes entrantes por 
> > protocolo TCP con destino al puerto 80 y estado de conexión nuevo 
> > (NEW) cambien su TTL a 20 segundos, pero solo esos. Al resto de los 
> > paquetes no me interesa modificarles el TTL.
> 
> Tal vez puedas conseguirlo usando el módulo recent de iptables. Aquí[1] doy 
> una solución sobre como usar recent para abrir puertos  de la conexión de 
> datos de ftp cuando la conexión de control está cifrada.
> Podría ser un punto de partida.
> 
> Si lo consigues, por favor compártelo pues tengo curiosidad.
> 
> Saludos,
> maykel
> 
> [1]: https://serverfault.com/a/426891/73788
> 
> 
> --
> Este mensaje ha sido analizado por MailScanner en busca de virus y otros 
> contenidos peligrosos, y se considera que est limpio.
> 
> 
> 
> 
> 
> ______________________________________________________________________
> Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba.
> Gutl-l@jovenclub.cu
> https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l

 6
down vote
favorite
        

I am using vsftpd with active ftp. I have module
"ip_conntrack_ftp" (in /etc/sysconfig/iptables-config) on and port 21 is
open. Connecting with FTP works, but FTPS doesn't. I can login but get
no listing:

227 Entering Passive Mode
LIST -a

When stopping the firewall it works (I mean iptables on the ftp server
itself). I read in
http://www.experts-exchange.com/Software/Server_Software/File_Servers/FTP/Q_22418222.html
 that it's not possible to use FTPS with active FTP. Is this true?

My iptables configuration:

*filter
:INPUT DROP [15:2752]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [132:159725]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 990 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 989 -j ACCEPT
COMMIT

iptables ftp vsftpd
shareimprove this question
        
edited Feb 13 at 18:26
Castaglia
1,7842521
        
asked Feb 21 '12 at 14:15
user74952
5116
        
add a comment
3 Answers
active
oldest
votes
up vote
5
down vote
accepted
        

I have run in to this issue. It looks like you need to open up the ftp
data transfer range of ports when using FTP with explicit TLS/SSL. Try
the following:

iptables -A INPUT -p tcp --sport 1024: --dport 64000:65535 -m state
--state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 64000:65535 --dport 1024: -m state
--state ESTABLISHED,RELATED -j ACCEPT

shareimprove this answer
        
answered Feb 21 '12 at 14:40
Nic Young
71811026
        
         
        
This doesn't work for me. This looks incorrect as you cannot guarantee
the client will use a port above 64000. Thanks. – user74952 Feb 21 '12
at 14:48
         
        
Can you elaborate what it is not working? I have just run the above
commands and they work correctly. You generally have to open these range
ports via this article. – Nic Young Feb 21 '12 at 14:59
         
        
Good reference! A have now: – user74952 Feb 21 '12 at 15:24
         
        
Can you post any error messages you are receiving when connecting to the
server. – Nic Young Feb 21 '12 at 15:36
3        
        
I have now "227 Entering Passive Mode" followed by "LIST -a". Same
thing. In the document you reference, in file
vsftpd_virtual_config_withTLS.sh I see they use "pasv_max_port" and
"pasv_min_port". I thought these options were only usable for passive
ftp connections. I should have sent the vsftpd.conf configuration file.
It works now. Thanks! – user74952 Feb 21 '12 at 15:38
add a comment
up vote
4
down vote
        

You need to explicitly allow access to ftp-data incoming port range.
Nic's answer recommends statically opening the full range, but that
might be too open. Besides, RELATED is useless in this case because
conntrack_ftp module can't snoop an encrypted control connection.

My recommendation is to use the recent match. Try the following:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state NEW -j in_new
iptables -A in_new -p tcp --sport 1024: --syn --dport 64000:65535 -m
recent --name ftpdata --update --seconds 1800 --reap -j ACCEPT
iptables -A in_new -p tcp               --syn --dport ftp         -m
recent --name ftpdata --set -j ACCEPT

The --setrule will be matched by control connection and will add the
source ip to ftpdata recent list. The --update rule will do most of the
interesting work:

    Will match if the source address of the packet is in the ftpdata
list (--update) and the source addres was seen within the last 1800
seconds (--seconds 1800).
    If matched, the "last seen" timestamp of the source address will be
updated (--update).
    Entries in the ftpdata list not seen in the last 1800 will be
removed (--reap).

So, after the control connection was ACCEPTed, you have 1800 seconds to
initiate data connections. After that time you will need to reopen the
control connection to get the source address re-added to the ftpdata
list.

An inconvenience of this solution if that ftp clients would not be able
to initiate data connections after 1800 seconds of their last control
connection establisment time. You could use 24h if you like, it will be
less opened anyways than having the full port range permanently opened.
You can also have a sequence like:

iptables -A INPUT -m state --state ESTABLISHED -p tcp --dport ftp -m
recent --set
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

to refresh the source address whenever an established control connection
packet comes in but I prefer to have the --state RELATED,ESTABLISHED
rule near the top.

Check also accept_timeout, data_connection_timeout and
idle_session_timeout params of vsftpd.conf.

-- 
Salu2 
 ________________________
 Ulinx
 Linux user 366775
"En un problema con n ecuaciones
siempre habrá al menos n+1 incógnitas."

______________________________________________________________________
Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba.
Gutl-l@jovenclub.cu
https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l

Responder a