Re: [Shorewall-users] FTP shorewall Helper

Sun, 30 Dec 2018 17:35:01 -0800 

Hi Tom,

I see that only the FTP Passive Mode works, but is there any other settings
that i need to enable for the active mode to work. I believe
Linux nf_nat_ftp and nf_conntrack_ftp should take care of the mapping
correct and i see they are getting loaded.

ubuntu@BR2-UBUNTU1:~$ ftp 144.208.69.31
Connected to 144.208.69.31.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 18 of 150 allowed.
220-Local time is now 17:01. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 30 minutes of inactivity.
Name (144.208.69.31:ubuntu): dlpu...@dlptest.com
331 User dlpu...@dlptest.com OK. Password required
Password:
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 I won't open a connection to 10.24.8.11 (only to 96.64.220.253)
ftp: bind: Address already in use

conntrack  entry:
tcp      6 430709 ESTABLISHED src=10.24.8.11 dst=144.208.69.31 sport=53478
dport=21 src=144.208.69.31 dst=10.24.8.117 sport=21 dport=53478 [ASSURED]
mark=0 zone=4 use=1

30-001011-4894:/log/home/test# shorewall show capabilities | grep FTP
   FTP Helper: Available
   FTP-0 Helper: Not available
   TFTP Helper: Available
   TFTP-0 Helper: Not available

naveen:Desktop naveen$ cat shorewall.dump | grep ftp
    2   120 CT         tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:21 flags:0x17/0x02 CT helper ftp
    0     0 CT         udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:69 CT helper tftp
    0     0 CT         tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:21 flags:0x17/0x02 CT helper ftp
    0     0 CT         udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:69 CT helper tftp
nf_conntrack           87221  32
nf_nat_pptp,nf_conntrack_sip,nf_conntrack_irc,xt_nat,nf_nat_h323,nf_conntrack_ftp,nf_nat_sip,openvswitch,nf_conntrack_ipv4,nf_conntrack_tftp,xt_NETMAP,ipt_MASQUERADE,nf_nat_irc,xt_connmark,nf_conntrack_pptp,nf_conntrack_amanda,xt_helper,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_sane,nf_nat_amanda,xt_connlimit,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_CT,nf_nat_masquerade_ipv4,nf_conntrack_h323,xt_conntrack,nf_nat_ipv4,nf_nat_tftp,nf_nat
nf_conntrack_ftp        6942  3 nf_nat_ftp
nf_conntrack_tftp       4017  3 nf_nat_tftp
nf_nat                 15273  13
nf_nat_pptp,nf_nat_proto_gre,xt_nat,nf_nat_h323,nf_nat_sip,openvswitch,xt_NETMAP,nf_nat_irc,nf_nat_ftp,nf_nat_amanda,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat_tftp
nf_nat_ftp              2092  0
nf_nat_tftp             1286  0

Please let me know if you need any other information.

Thanks,
Naveen

On Fri, Dec 28, 2018 at 2:52 PM Naveen Neelakanta <
naveen.b.neelaka...@gmail.com> wrote:

> Hi Tom ,
>
> I got it resolved be just moving the zone in the conntrack file above
> AUTOHELPER
>
> cat /etc/shorewall/conntrack
> #
> # Shorewall version 4 - conntrack File
> #
> # For information about entries in this file, type man shorewall-conntrack
> #
>
> ##############################################################################################################
> ?FORMAT 3
> #ACTION                 SOURCE          DESTINATION     PROTO   DEST
>       SOURCE  USER/  SWITCH
> #                                                                PORT(S)
>        PORT(S) GROUP
> IPTABLES(CT --zone 2):O     0.0.0.0/0      eth3
> IPTABLES(CT --zone 2)      veth-e3-p               -
>
> ?if $AUTOHELPERS && __CT_TARGET
> ?if __FTP_HELPER
> CT:helper:ftp:PO        -               -               tcp     21
> ?endif
> ?endif
>
> However, I was looking for DROP counters using   "iptables -L -nv | grep
> DROP".
> whats the right to way to display DROP flows in this scenario and check
> for the drop counters.
>
> Thanks,
> Naveen
>
> On Fri, Dec 28, 2018 at 1:41 PM Tom Eastep <teas...@shorewall.net> wrote:
>
>> On 12/28/18 10:48 AM, Naveen Neelakanta wrote:
>> >
>> > Hi All,
>> >
>> > I am facing issues with ftp traffic, when the client initiates the
>> > ftp connection, I see it leave the internet interface after getting
>> > NATed with internet interface IP, I see the return traffic on the
>> > internet interface I don't see it getting forwarded, nor hitting the
>> > conntrack entry.
>> >  I have enabled the FTP helper in /etc/shorewall/conntrack , i am using
>> > shorewall version "5.2.0.4".
>> >
>> > Let me know if i am missing something.
>> >
>> > ?if $AUTOHELPERS && __CT_TARGET
>> > ?if __FTP_HELPER
>> > CT:helper:ftp:PO        -               -               tcp     21
>> > ?endif
>> > ?endif
>> >
>> > i have the  AUTOHELPERS= yes  in shorewall.conf
>> >
>> > #lsmod | grep nf_nat_ftp
>> > nf_nat_ftp              2028  0
>> > nf_conntrack_ftp        6942  3 nf_nat_ftp
>> > nf_nat                 15273  12
>> >
>> nf_nat_pptp,nf_nat_proto_gre,xt_nat,nf_nat_h323,nf_nat_sip,openvswitch,nf_nat_irc,nf_nat_ftp,nf_nat_amanda,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat_tftp
>> > nf_conntrack           87157  28
>> >
>> nf_nat_pptp,nf_conntrack_sip,nf_conntrack_irc,xt_nat,nf_nat_h323,nf_conntrack_ftp,nf_nat_sip,openvswitch,nf_conntrack_ipv4,nf_conntrack_tftp,ipt_MASQUERADE,nf_nat_irc,nf_conntrack_pptp,nf_conntrack_amanda,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_sane,nf_nat_amanda,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_CT,nf_nat_masquerade_ipv4,nf_conntrack_h323,xt_conntrack,nf_nat_ipv4,nf_nat_tftp,nf_nat
>> >
>> >
>>
>> The helper is not required in order to establish the initial control
>> connection. So if you are having problems with that part, the issue
>> doesn't involve the helper. The helper get involved during establishment
>> of the data connection created to handle get, put, ls, etc.
>>
>> It sounds like the 'client' in this case is in your local lan? If so,
>> the CT rule would be hit in the nat table PREROUTING chain when the
>> original SYN packet was received by the firewall from the client.
>>
>> I'll take a look if you:
>>
>> - shorewall reset
>> - <try to establish the ftp connection>
>> - shorewall dump > shorewall.dump
>> - Send me the shorewall.dump file (as an attachment) along with the IP
>>   addresses of the client and server
>>
>> Thanks,
>> -Tom
>> --
>> Tom Eastep        \   Q: What do you get when you cross a mobster with
>> Shoreline,         \     an international standard?
>> Washington, USA     \ A: Someone who makes you an offer you can't
>> http://shorewall.org \   understand
>>                       \_______________________________________________
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to