Hi All How to classify packets belonging to a FTP session? Port 21 session is easy. but what about data transfers? Their port numbers (both) are above 1024. I was thinking about ip_conntrack_ftp. Something like: iptables -A FORWARD -p tcp --sport 1024: --dport 1024: \ -m state --state ESTABLISHED,RELATED -j CLASSIFY --set-class X:Y But what if I also have ip_conntrack_irc, for instance. IRC packets will also be directed to X:Y class since they are RELATED packets. How to make shure that only FTP RELATED packets will be CLASSIFY''ed?? -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \
Hi Ethy :) * Ethy H. Brito <ethy.brito@inexo.com.br> dixit:> How to make shure that only FTP RELATED packets will be CLASSIFY''ed??I can only suggest that you limit the source ports available to passive FTP. In my FTP server this can be configured, but probably in other servers you can do it too. Once you do this, it''s quite easy to setup a "tc filter" to mark packages (or iptables if you prefer). Raúl Núñez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It''s my PC and I''ll cry if I want to...
You could try to match on helper within iptables. Should be something like iptables -A FORWARD --match conntrack --ctproto tcp --ctstate RELATED,ESTABLISHED --match helper --helper ftp -j CLASSIFY .... Perhaps this will match your data channel. Cheers, Andreas DervishD wrote:> Hi Ethy :) > > * Ethy H. Brito <ethy.brito@inexo.com.br> dixit: > > >>How to make shure that only FTP RELATED packets will be CLASSIFY''ed?? >> >> > > I can only suggest that you limit the source ports available to >passive FTP. In my FTP server this can be configured, but probably in >other servers you can do it too. Once you do this, it''s quite easy to >setup a "tc filter" to mark packages (or iptables if you prefer). > > Raúl Núñez de Arenas Coronado > > >
On Fri, Nov 11, 2005 at 10:20:52PM +0100, Andreas Unterkircher wrote:> You could try to match on helper within iptables. Should be something like > > iptables -A FORWARD --match conntrack --ctproto tcp --ctstate > RELATED,ESTABLISHED --match helper --helper ftp -j CLASSIFY .... > > Perhaps this will match your data channel. >Something about 6 month ago I wrote iptables rules for DNATing incoming connection to ftp server behind nat , ${ipt} -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 --dport 8181 -j DNAT +--to-destination ${ftp_int} ${ipt} -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 -m helper --helper ftp-8181 -j DNAT --to-destination ${ftp_int} ${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} --dport 8181 -m state --state NEW -j ACCEPT ${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} -m helper --helper ftp-8181 -m state --state NEW,RELATED -j ACCEPT 8181 - ftp port src - source address fw_ip - firewall ip (external) ftp_int - ftp server internal ip. Everything was great but firewall sometimes hangs without kernel panic , maybe some deadlock in ftp conntrack code or in ftp helper. Kernel was 2.4.20 or 22 . /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground.