Conntrack helpers: Difference between revisions
Jump to navigation
Jump to search
(Clarify placement of 'ct helper set' chain in prerouting vs. input chain.) |
(New intro; detailed example of using ftp ct helper.) |
||
| Line 1: | Line 1: | ||
Some internet protocols use multiple ports that are negotiated between endpoints during the initial connection. Netfilter's [[Connection_Tracking_System|connection tracking system]] uses protocol helpers that look inside these negotiation packets to determine which ports will be part of the connection. The ct helper tells conntrack to expect packets to these ports; when such packets arrive conntrack assigns them ''related'' status. | |||
< | |||
To enable a conntrack helper in your ruleset: | |||
# Add a ''ct helper <my_ct_helper>'' stateful object which specifies the <kernel_ct_helper_name> to use. | |||
# Add a filter rule for the initial protocol negotiation connection, using a ''ct helper set "<my_ct_helper>"'' statement to specify which ct helper to use. | |||
# Add filter rules as necessary to allow initial, established and related packets through your firewall. | |||
The following heavily-commented example shows how to enable a helper for [https://en.wikipedia.org/wiki/File_Transfer_Protocol ftp] traffic to the usual tcp/21 port: | |||
<source> | |||
table inet myhelpers { | table inet myhelpers { | ||
# 1. ct helper stateful object | |||
# "ftp-standard" is the name of this ct helper stateful object. | |||
# "ftp" is the in-kernel name for the ftp ct helper. | |||
ct helper ftp-standard { | |||
type "ftp" protocol tcp; | |||
} | |||
chain PRE { | |||
type filter hook prerouting priority filter; | |||
# 2. Rule for initial ftp connection (control channel), specifying ct helper stateful object to use. | |||
# NOTE "ftp-standard" is the name of the ct helper stateful object. | |||
tcp dport 21 ct helper set "ftp-standard" | |||
} | |||
# Example (partial) input filter base chain. | |||
# NOTE default policy drop - we have to explicitly accept all allowed packets. | |||
chain IN { | |||
type filter hook input priority filter; policy drop; | |||
# 3a. Rule for ftp control channel. | |||
# NOTE conntrack works here without needing helper. | |||
tcp dport 21 ct state new,established accept | |||
# 3b. Rule for related packets on ftp data channel. | |||
# NOTE in-kernel ct helper name "ftp" is used here; | |||
# trying to use ct helper stateful object name "ftp-standard" will NOT work. | |||
ct helper "ftp" accept | |||
} | |||
} | } | ||
</source> | </source> | ||
Further comments on above example: | |||
* Rule 2 enables our ''ftp-standard'' ct helper in a ''prerouting'' chain. This makes the ct helper available to both forwarded and input traffic flows. If for some reason you want the ct helper to only be available for forwarded OR input flows, you can put Rule 2 in a ''forward'' or ''input'' chain, respectively. | |||
* You may want to be more restrictive in Rule 3b. For example if you are using ftp passive mode you could use | |||
<source>ct helper "ftp" tcp dport { 1024-65535 } accept</source> | |||
You can read more on how to enable conntrack helpers in a secure way [https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst here]. | |||
= Supported conntrack helpers = | = Supported conntrack helpers = | ||
Revision as of 17:09, 10 March 2021
Some internet protocols use multiple ports that are negotiated between endpoints during the initial connection. Netfilter's connection tracking system uses protocol helpers that look inside these negotiation packets to determine which ports will be part of the connection. The ct helper tells conntrack to expect packets to these ports; when such packets arrive conntrack assigns them related status.
To enable a conntrack helper in your ruleset:
- Add a ct helper <my_ct_helper> stateful object which specifies the <kernel_ct_helper_name> to use.
- Add a filter rule for the initial protocol negotiation connection, using a ct helper set "<my_ct_helper>" statement to specify which ct helper to use.
- Add filter rules as necessary to allow initial, established and related packets through your firewall.
The following heavily-commented example shows how to enable a helper for ftp traffic to the usual tcp/21 port:
table inet myhelpers {
# 1. ct helper stateful object
# "ftp-standard" is the name of this ct helper stateful object.
# "ftp" is the in-kernel name for the ftp ct helper.
ct helper ftp-standard {
type "ftp" protocol tcp;
}
chain PRE {
type filter hook prerouting priority filter;
# 2. Rule for initial ftp connection (control channel), specifying ct helper stateful object to use.
# NOTE "ftp-standard" is the name of the ct helper stateful object.
tcp dport 21 ct helper set "ftp-standard"
}
# Example (partial) input filter base chain.
# NOTE default policy drop - we have to explicitly accept all allowed packets.
chain IN {
type filter hook input priority filter; policy drop;
# 3a. Rule for ftp control channel.
# NOTE conntrack works here without needing helper.
tcp dport 21 ct state new,established accept
# 3b. Rule for related packets on ftp data channel.
# NOTE in-kernel ct helper name "ftp" is used here;
# trying to use ct helper stateful object name "ftp-standard" will NOT work.
ct helper "ftp" accept
}
}Further comments on above example:
- Rule 2 enables our ftp-standard ct helper in a prerouting chain. This makes the ct helper available to both forwarded and input traffic flows. If for some reason you want the ct helper to only be available for forwarded OR input flows, you can put Rule 2 in a forward or input chain, respectively.
- You may want to be more restrictive in Rule 3b. For example if you are using ftp passive mode you could use
ct helper "ftp" tcp dport { 1024-65535 } acceptYou can read more on how to enable conntrack helpers in a secure way here.
Supported conntrack helpers
Conntrack provides the following helpers:
- FTP
- TFTP
- NetBIOS
- IRC
- SIP
- H.323
- SNMP
- PPTP
- SANE
- Amanda
The conntrackd daemon also provides support for userspace helpers, such as:
- DHCPv6
- MDNS
- SLP
- SSDP
- RPC
- NFS version 3
- Oracle TNS