aktives/passives ftp

[killerhippy]

HI,

ich habe mir ein prima Packet Filter script gebastelt:

<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
#!/bin/bash

# stateful firewall, based on the article of Daniel Robbins @
# Intel(R) Developer Services - Designing Flexible and Secure
# Firewalls
#
# interfaces:
# eth0: our LAN
# eth1: our bridged DSL router


# userconfig starts

# fullpath of the iptables executable
IPT=/sbin/iptables

# set the ip of eth1
IF_ETH1_IP=""

# fill in ip addresses separated by a space for your dns-servers
DNS=""

# give an URL to be nslookedup of your dyndns friend
# FRIEND_URL=""

# userconfig ends

# safe of the default seperator, which will be modified
IFS_SIK=$IFS

usage ()
{
echo "$0 [start|stop]"
} # end usage

fire_on ()
{ echo "starting stateful packetfilter"

# define myfilter, which lets answers coming in
$IPT -N myfilter
$IPT -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT

#trust all new connections from our internal LAN, whether for us or
# just passing through
$IPT -A myfilter -m state --state NEW -i ! eth1 -j ACCEPT

# packets, not yet matched by our rules must be invalid:
# fake "no service her" for incoming requests with logging
$IPT -A myfilter -j LOG --log-prefix "INVALID:" --log-level notice
$IPT -A myfilter -p tcp -j REJECT --reject-with tcp-reset
$IPT -A myfilter -j REJECT --reject-with icmp-port-unreachable

# Set up SNAT so that machines on our LAN can use our DSL router

#$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to $IF_ETH1_IP

# Else setup the OUTPUT CHAINs instead

# OUTPUT CHAIN
$IPT -A OUTPUT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -j myfilter

# INPUT CHAIN

# special for dns, enables looking up hostnames early
for I in $DNS; do
$IPT -A INPUT -p udp -s $I --sport 53 \
--dport 1023: -i eth1 -j ACCEPT
$IPT -A INPUT -p tcp -s $I --sport 53 \
--dport 1023: -i eth1 -j ACCEPT
$IPT -A OUTPUT -p udp --sport 1023: \
-d $I --dport 53 -o eth1 -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 1023: \
-d $I --dport 53 -o eth1 -j ACCEPT
done

# free public services

# find out carsten's actual ip address
if [ $FRIEND_URL ]; then
FRIENDS_DYNDNS=`nslookup -sil $FRIEND_URL | sed \
-n -e "s/Address: //p"`
if [ ! $FRIENDS_DYNDNS ]; then
echo "dyndnsfriend is offline"
else
echo "good ip $FRIENDS_DYNDNS for dyndnsfriend"
fi
fi

# if we have a good ip for FRIENDS_DYNDNS, set SERVICES
if [ $FRIENDS_DYNDNS ]; then
echo "enableing SERVICES"
IFS=","
# add service [and ip addresse], separated with an exklamation mark
SERVICES="ssh $FRIENDS_DYNDNS"
fi

local I
for I in $SERVICES; do
IFS=" "
set $I
if [ $2 ]; then
echo "service $1 for $2"
$IPT -A INPUT -p tcp --dport $1 -m state --state NEW \
-s $2 -j ACCEPT
else
echo "service $1 for all"
$IPT -A INPUT -p tcp --dport $1 -m state --state NEW \
-j ACCEPT
fi
done
IFS=$IFS_SIK

# log any pings to our firewall box from the Internet (max 1/minute)

$IPT -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit \
--limit 1/minute -j LOG --log-prefix "PING:" --log-level notice

# accept up to 2 pings per second to our firewall box from the Internet

$IPT -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit \
--limit 2/second -j ACCEPT

# the real input chain which does the work

$IPT -A INPUT -j myfilter

# FORWARD CHAIN

# simply forward all FORWARD traffic to our myfilter chain.
# if any traffic were to make it through the myfilter chain,
# it would fall off the end of the FORWARD chain and get a
# default policy of DENY.

$IPT -A FORWARD -j myfilter


} # end fire_on

scheune_dicht ()
{ echo "stopping stateful packetfilter"
########
## set policies defaults to deny
$IPT -F # flush all chain rules
$IPT -X # delete all not builtin chains
$IPT -Z # zero all counters
$IPT -P INPUT DROP # deny all input
$IPT -P OUTPUT DROP # deny all output
$IPT -P FORWARD DROP # deny all forwarding

## keep lo running
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -f -o lo -j ACCEPT
} # end scheune_dicht

if [ "$#" -lt 1 ]; then
echo "ERROR: not enough args."
usage
exit 1
fi


case "$1" in
start)
### SYSCTL: PERFORMANCE TUNING, DoS, ETC -------------------------------------
# Definitions @ http://www.tldp.org/HOWTO/Adv-Routing-HOWTO-13.html
#
echo 1 > /proc/sys/net/ipv4/ip_forward # Enable IP masq
echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Rewrite new address
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP SYN overload
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Smurf amplify off
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Spoof/route/redir
echo 0 > /proc/sys/net/ipv4/tcp_timestamps # Uptime/GB Ethernet
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # ICMP redirects off
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # No bcast response
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # No return path mod
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # No bad msgs

## Antispoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

scheune_dicht
fire_on
;;
stop)
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done

scheune_dicht
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
;;

*) echo "ERROR: wrong args."
usage
exit 1
;;
esac
</font><hr></pre></blockquote>

was auch zufriedenstellend arbeitet, jedoch habe ich damit bei ftp Probleme.

Sowohl bei aktivem alsauch bei passivem FTP gibt es Schwierigkeiten, weil der Datenkanal blockiert wird.

Die Idee der "stateful firewall" finde ich super, weil auch das Script selbst klein ausfällt. Wie kriege auf dessen Basis realisiert, daß die einkommenden Packete für einen Datenkanal einer bestehenden FTP Verbindung aufgrund der script Logik von iptables erkannt und durchgelassen wird?