Discussion:
nftables and FTP connection tracking
Tomek L
2014-08-13 10:30:00 UTC
Permalink
Hi All,

Could you have a look at my simple nft firewall script below, I've
used ct related, established, but it doesnt work with passive mode FTP
- the data session on high ports is dropped by firewall. Does NFTables
have connection tracking helper for FTP? If not - is it planned in
foreseable future to add it?

table ip filter {
chain input {
type filter hook input priority 0;
dport {21} ct state new limit rate 2/second counter accept
ct state {established, related} counter accept
counter limit rate 100/second log group 2 prefix
"RULE=Default drop"
counter drop
}

chain output {
type filter hook output priority 0;
ct state {established, related} counter accept
}

}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Tomek L
2014-08-13 12:56:19 UTC
Permalink
Hi All,

Could you have a look at my simple nft firewall script below, I've
used ct related, established, but it doesnt work with passive mode FTP
- the data session on high ports is dropped by firewall. Does NFTables
have connection tracking helper for FTP? If not - is it planned in
foreseable future to add it?

table ip filter {
chain input {
type filter hook input priority 0;
dport {21} ct state new limit rate 2/second counter accept
ct state {established, related} counter accept
counter limit rate 100/second log group 2 prefix
"RULE=Default drop"
counter drop
}

chain output {
type filter hook output priority 0;
ct state {established, related} counter accept
}

}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
tomekx1000
2014-08-14 09:29:57 UTC
Permalink
Dear All,

Could you have a look at my simple nft firewall script below, I've used
ct related, established, but it doesnt work with passive mode FTP - the
data session on high ports is dropped by firewall. Does NFTables have
connection tracking helper for FTP? If not - is it planned in foreseable
future to add it?

table ip filter {
chain input {
type filter hook input priority 0;
dport {21} ct state new limit rate 2/second counter accept
ct state {established, related} counter accept
counter limit rate 100/second log group 2 prefix "RULE=Default drop"
counter drop
}

chain output {
type filter hook output priority 0;
ct state {established, related} counter accept
}

}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2014-08-14 18:02:05 UTC
Permalink
Post by tomekx1000
Dear All,
Could you have a look at my simple nft firewall script below, I've
used ct related, established, but it doesnt work with passive mode
FTP - the data session on high ports is dropped by firewall. Does
NFTables have connection tracking helper for FTP?
Yes, no changes in that regard.
Post by tomekx1000
If not - is it planned in foreseable future to add it?
table ip filter {
chain input {
type filter hook input priority 0;
dport {21} ct state new limit rate 2/second counter accept
The brackets have special meaning. If you uses brackets to wrap
elements, the kernel will create a set for it with one single element.
Better use the brackets when you have multiple elements. In this case,
I suggest you to use:

tcp dport 21 ...
Post by tomekx1000
ct state {established, related} counter accept
^ ^

No need to use the brackets here:

ct state established,related ...

The ct state allows enumeration of several states using commas. This
is due to the fact that ct state internally represents the states as a
bitmask.

You can check that use the describe command:

# nft describe ct state
ct expression, datatype ct_state (conntrack state) (basetype bitmask,
integer), 32 bits

pre-defined symbolic constants:
invalid 0x00000001
new 0x00000008
established 0x00000002
related 0x00000004
untracked 0x00000040

Basically, all bitmask types can use the comma-separated enumeration
notation to combine the supported flags.

You can use describe to inquire for other selectors in case of doubt.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
tomekx1000
2014-08-14 18:38:45 UTC
Permalink
Thank you Pablo for clarification on usage of brackets. I've updated=20
script, however still no joy when connecting to server FTP. Maybe i'm=20
missing some modules?

# lsmod | grep conn
nf_conntrack_ftp 7059 1 nf_nat_ftp
nf_conntrack_ipv4 8066 19
nf_defrag_ipv4 1235 1 nf_conntrack_ipv4
nf_conntrack 55929 5=20
nf_nat_ftp,nf_nat,nft_ct,nf_conntrack_ftp,nf_conntrack_ipv4

Here is the corrected script:
table filter {

chain input {
type filter hook input priority 0;
tcp dport 21 ct state new counter accept
ct state related counter accept
ct state established counter accept
counter limit rate 100/second log group 2 prefix "RULE=3DDefault=
=20
drop"
counter drop
}

chain output {
type filter hook output priority 0;
ct state established, related counter accept
}

}

After connecting to port 21, FTP servers tries to negotiate data=20
connection on high ports, and this new connection is dropped...
How can I make FTP helper to work with nftables?
Post by Pablo Neira Ayuso
=20
Dear All, Could you have a look at my simple nft firewall script=20
below, I've used ct related, established, but it doesnt work with=20
passive mode FTP - the data session on high ports is dropped by=20
firewall. Does NFTables have connection tracking helper for FTP?
=20
Yes, no changes in that regard.
=20
If not - is it planned in foreseable future to add it? table ip filt=
er=20
Post by Pablo Neira Ayuso
{ chain input { type filter hook input priority 0; dport {21} ct sta=
te=20
Post by Pablo Neira Ayuso
new limit rate 2/second counter accept
=20
The brackets have special meaning. If you uses brackets to wrap
elements, the kernel will create a set for it with one single element=
=2E
Post by Pablo Neira Ayuso
Better use the brackets when you have multiple elements. In this case=
,
Post by Pablo Neira Ayuso
=20
tcp dport 21 ...
=20
ct state {established, related} counter accept
=20
^ ^
=20
=20
ct state established,related ...
=20
The ct state allows enumeration of several states using commas. This
is due to the fact that ct state internally represents the states as =
a
Post by Pablo Neira Ayuso
bitmask.
=20
=20
# nft describe ct state
ct expression, datatype ct_state (conntrack state) (basetype bitmask,
integer), 32 bits
=20
invalid 0x00000001
new 0x00000008
established 0x00000002
related 0x00000004
untracked 0x00000040
=20
Basically, all bitmask types can use the comma-separated enumeration
notation to combine the supported flags.
=20
You can use describe to inquire for other selectors in case of doubt.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...