Tracing complex protocols in Iptables

There are a number of complex protocols correct trace which is more complicated. Prmerom can serve as the protocols FTP, IRC and ICQ. Each of these protocols is an additional connection information in the data package. Accordingly the correct tracing these connections require additional support modules.

As a first example, consider the Protocol FTP. The FTP protocol first opens a single connection, which is called “session management FTP (FTP control session). When a command is executed within that session, to transmit related data open additional ports. These connections can be active or passive. When you create an active connection client sends the FTP server port number and IP address for the connection. Then the client opens the port that the server connects to the specified port on the client’s port 20 (FTP-Data known as) and transmits data through the connection.

The problem is that the firewall does not know anything about these additional connections, because all the information about them is transmitted through the data scope of the package. Because of this, the firewall will not allow the server to connect to the specified port on the client.

Solution to the problem is to add special support trace module that tracks specific to this Protocol, information in the field of data packets in a session management. When making this connection helper module will correctly transmitted information and create a corresponding entry in the table of the tracer with the status of RELATED, so the connection will be established. The figure below explains how to perform such a connection.

Passive FTP is the opposite way. The client sends a request to the server to retrieve the data, and the server returns to the client the IP address and port number to connect to. Customer connects his port 20 (FTP-data) to the specified port on the server and receives the requested data. If your FTP server is behind a firewall, you will need this helper module for the server to serve customers from the Internet. The same applies to the case where you want to restrict your users only the ability to connect to HTTP and FTP servers on the Internet and close all other ports. The figure below shows how a passive FTP connection.

Some auxiliary modules are included in the kernel. To be more precise, the kernel included in the subsidiary modules for FTP and IRC. If you have no necessary support module, you must contact patch-o-matic, which contains a large number of subsidiary modules for protocols such as trace ntalk or H. 323. If you do not find what you need, then you have more options: you can contact CVS iptables if the helper has not been included in the patch-o-matic, or you can get in touch with the developers of the netfilter and learn from them–is there a similar module and whether it is planned for release. If you fail, then perhaps you should read the Rusty Russell’s Unreliable Netfilter Hacking how-to.

Auxiliary modules can be compiled as a loadable kernel module or statically linked with the kernel. If they are compiled as modules, then you can download them with the command:

modprobe ip_conntrack_ *

Please note that the mechanism for determining the State has nothing to do with network address translation (NAT), so you may need more additional modules if you are performing this translation. Assume that you perform address translation and trace FTP connections, then you need the appropriate helper NAT. NAT subsidiary modules Names start with ip_nat_, in accordance with the agreement on names. In this case the module called ip_nat_ftp. IRC protocol this module will be called ip_nat_irc. The same agreement is followed and the names of the subsidiary modules tracer, for instance: ip_conntrack_ftp and ip_conntrack_irc.