On Fri, Nov 11, 2005 at 10:20:52PM +0100, Andreas Unterkircher wrote:
> You could try to match on helper within iptables. Should be something like
>
> iptables -A FORWARD --match conntrack --ctproto tcp --ctstate
> RELATED,ESTABLISHED --match helper --helper ftp -j CLASSIFY ....
>
> Perhaps this will match your data channel.
>
Something about 6 month ago I wrote iptables rules for DNATing incoming
connection to ftp server behind nat ,
${ipt} -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 --dport
8181 -j DNAT
+--to-destination ${ftp_int}
${ipt} -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 -m helper
--helper ftp-8181 -j DNAT --to-destination ${ftp_int}
${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} --dport 8181 -m state
--state NEW -j ACCEPT
${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} -m helper --helper
ftp-8181 -m state --state NEW,RELATED -j ACCEPT
8181 - ftp port
src - source address
fw_ip - firewall ip (external)
ftp_int - ftp server internal ip.
Everything was great but firewall sometimes hangs without kernel panic ,
maybe some deadlock in ftp conntrack code or in ftp helper. Kernel was
2.4.20 or 22 .
/pch
--
Dyslexia bug unpatched since 1977 ...
exploit has been leaked to the underground.
_______________________________________________
LARTC mailing list
[email protected]
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
