Tracking FTP Connections, continued
To allow active FTP
we may consider a general rule allowing
connections from port 20 on remote FTP servers to high ports
(port numbers > 1023) on our FTP clients.
However, this is too general to be considered secure,
as remote attackers (who may be able to see our FTP PORT packets)
may attempt to quickly connect to our nominated ports.
To solve this, (stateful firewalls, such as)
iptables supports the specific
ip_conntrack_ftp (dynamically loaded) module,
which recognizes the PORT command and locates the port number
(requiring parsing of the payload):
iptables -A INPUT -p tcp --sport 20 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state \
--state ESTABLISHED -j ACCEPT
|
The FTP-data connection between our clients and the remote server
is now classified as RELATED
to the original outgoing connection to the remote port 21 -
we don't need NEW as a state match.
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p30, 15th May 2024.
|
CITS3002