4

I've installed debian (on my raspberry, but the question is quite generic):

Linux raspberrypi 4.9.28+ #998 Mon May 15 16:50:35 BST 2017 armv6l GNU/Linux

And I'm trying to set up a simple anonymous and plaintext (no SSL) FTP server on it (vsftpd). The TCP port is the regular 21 FTP port, and I'm going to allow only passive mode.

I would like to have a strict firewall configuration, so I'm allowing in only ssh and the aforementioned FTP server.

For this purpose I'm using the conntrack module to allow only legit inbound connections. For this reason I loaded with modprobe the nf_conntrack_ftp module:

modprobe nf_conntrack_ftp

My iptables configuration:

# Generated by iptables-save v1.4.21 on Sat Aug 12 15:50:44 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [108:11273] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -j DROP COMMIT # Completed on Sat Aug 12 15:50:44 2017

With this configuration I'm not able to get the passive data connection to work properly.

I've both set up a tcpdump and added a -A INPUT j LOG rule just before the -A INPUT -j DROP: I can clearly see the inbound packets for the Iptablespassive data connection to be logged and rejected.

Some time ago I did pretty much the same setup on a Centos7 machine, where it worked correctly. Am I missing something important?

Thanks for any help :)

Improve this question
3
  • You can check with conntrack -L conntrack ; conntrack -L expect whether nf_conntrack_ftp sets up the necessary entry. Commented Aug 12, 2017 at 16:23
  • I don't know if it applies but automatic helper assignment is deprecated, so check your dmesg log and perhaps you need to follow the advice in the link and have another rule for your RELATED ftp connections. Commented Aug 12, 2017 at 17:15
  • @HaukeLaging Apparently there's no expectation appearing in there. I can see the control connection getting in from the conntrack table. Checking dmesg as suggested by @meuh Commented Aug 12, 2017 at 17:23

1 Answer 1

Reset to default
7

As suggested by @meuh in a comment, I had a look at the documentation hosted at https://home.regit.org/netfilter-en/secure-use-of-helpers/.

The paragraph "Using the CT target to refine security" explains:

One classic problem with helpers is the fact that helpers listen on predefined ports. If a service does not run on standard port, it is necessary to declare it. Before 2.6.34, the only method to do so was to use a module option. This was resulting in having a systematic parsing of the added port by the chosen helper. This was clearly suboptimal and the CT target has been introduced in 2.6.34. It allows to specify what helper to use for a specific flow. For example, let’s say we have a FTP server on IP address 1.2.3.4 running on port 2121.

To declare it, we can simply do

iptables -A PREROUTING -t raw -p tcp --dport 2121 \\ -d 1.2.3.4 -j CT --helper ftp

It's not my case (since I'm using a regular port 21 for it) but still it seems to work if one wants to enable the ftp helper for inbound connections.

iptables -A PREROUTING -t raw -p tcp -m tcp --dport 21 -j CT --helper ftp

My (working) configuration is now:

# Generated by iptables-save v1.4.21 on Sat Aug 12 17:39:53 2017 *raw :PREROUTING ACCEPT [445:37346] :OUTPUT ACCEPT [375:44051] -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp COMMIT # Completed on Sat Aug 12 17:39:53 2017 # Generated by iptables-save v1.4.21 on Sat Aug 12 17:39:53 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [169:17775] -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -j DROP COMMIT # Completed on Sat Aug 12 17:39:53 2017

It is probably worth noting how the document suggests to be wary of this kind of configuration, since the behaviour of the firewall depends on the user input.

I'm wondering if there are risks by facing a FTP server on the Open Internet in this way. In general FTP is known not to be the best protocol in terms of security, anyway…

Improve this answer
2
  • you are missing -t raw in your iptables -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp Commented May 7, 2018 at 15:23
  • 1
    The automatic helper assignment for the netfilter modules was made optional in kernel 3.5 and later disabled by default because some evil people found a way to abuse it. Now the recommended practice is to declare any required helpers explicitly on ports that need them. Commented Jul 16, 2018 at 12:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.