Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FS#1764 - ftp helper from kmod-nf-nathelper doesn't work #6719

Open
openwrt-bot opened this issue Aug 10, 2018 · 4 comments
Open

FS#1764 - ftp helper from kmod-nf-nathelper doesn't work #6719

openwrt-bot opened this issue Aug 10, 2018 · 4 comments
Labels
flyspray

Comments

@openwrt-bot
Copy link

ThomasCr:

Hi, I use OpenWRT 18.06.0 on Archer C7 v2.

After upgrade from latest LEDE to new OpenWRT my ftp connection (inside to outside) isnt working any more.

kmod-nf-nathelper is installed and loaded - router also restarted.

But the connection isnt working any more....

thats my tcpdump from the connection:

.....%A@.7.5.P..._W..230 User user logged in.

15:36:03.477896 IP rd1.xxx-local-xxx.local.53412 > pm-fw.xxx-remote-xxx.de.21: Flags [P.], seq 29:35, ack 89, win 260, length 6: FTP: FEAT
E.....@.......
.........7.5.%A@.P...p2..FEAT

15:36:03.489914 IP pm-fw.xxx-remote-xxx.de.21 > rd1.xxx-local-xxx.local.53412: Flags [P.], seq 89:99, ack 35, win 65501, length 10: FTP: 211-FEAT
E..2D.@.v.........
.....%A@.7.5.P.......211-FEAT

15:36:03.539917 IP rd1.xxx-local-xxx.local.53412 > pm-fw.xxx-remote-xxx.de.21: Flags [.], ack 99, win 260, length 0
E..(..@.......
.........7.5.%A@.P.............
15:36:03.551603 IP pm-fw.xxx-remote-xxx.de.21 > rd1.xxx-local-xxx.local.53412: Flags [P.], seq 99:128, ack 35, win 65501, length 29: FTP: SIZE
E..EE.@.v..<......
.....%A@.7.5.P...%s.. SIZE
MDTM
211 END

15:36:03.555058 IP rd1.xxx-local-xxx.local.53412 > pm-fw.xxx-remote-xxx.de.21: Flags [P.], seq 35:43, ack 128, win 260, length 8: FTP: TYPE I
E..0..@.......
.........7.5.%A@.P...2...TYPE I

15:36:03.566608 IP pm-fw.xxx-remote-xxx.de.21 > rd1.xxx-local-xxx.local.53412: Flags [P.], seq 128:148, ack 43, win 65493, length 20: FTP: 200 Type set to I.
E..<E.@.v..4......
.....%A@.7.5%P...r...200 Type set to I.

15:36:03.567247 IP rd1.xxx-local-xxx.local.53412 > pm-fw.xxx-remote-xxx.de.21: Flags [P.], seq 43:70, ack 148, win 260, length 27: FTP: PORT 192,168,10,5,208,165
E..C..@....{..
.........7.5%%A@.P...9...PORT 192,168,10,5,208,165

15:36:03.579094 IP pm-fw.xxx-remote-xxx.de.21 > rd1.xxx-local-xxx.local.53412: Flags [P.], seq 148:178, ack 70, win 65465, length 30: FTP: 200 PORT command successful.
E..FE!@.v.........
.....%A@.7.5@P...H...200 PORT command successful.

15:36:03.580969 IP rd1.xxx-local-xxx.local.53412 > pm-fw.xxx-remote-xxx.de.21: Flags [P.], seq 70:96, ack 178, win 260, length 26: FTP: SIZE user_mydat.csv
E..B..@....{..
.........7.5@%A@.P.......SIZE user_mydat.csv

15:36:03.592986 IP pm-fw.xxx-remote-xxx.de.21 > rd1.xxx-local-xxx.local.53412: Flags [P.], seq 178:189, ack 96, win 65439, length 11: FTP: 213 15493
E..3E;@.v.........
.....%A@.7.5ZP.......213 15493

15:36:03.593395 IP rd1.xxx-local-xxx.local.53412 > pm-fw.xxx-remote-xxx.de.21: Flags [P.], seq 96:122, ack 189, win 260, length 26: FTP: RETR user_mydat.csv
E..B..@....z..
.........7.5Z%AA.P.......RETR user_mydat.csv

15:36:03.604832 IP pm-fw.xxx-remote-xxx.de.21 > rd1.xxx-local-xxx.local.53412: Flags [P.], seq 189:268, ack 122, win 65413, length 79: FTP: 150 Opening BINARY mode data connection for user_mydat.csv(15493 bytes).
E..wEL@.v.........
.....%AA.7.5tP....=..150 Opening BINARY mode data connection for user_mydat.csv(15493 bytes).

15:36:03.654419 IP rd1.xxx-local-xxx.local.53412 > pm-fw.xxx-remote-xxx.de.21: Flags [.], ack 268, win 259, length 0
E..(..@.......
.........7.5t%AAUP.............
15:36:24.767221 IP pm-fw.xxx-remote-xxx.de.21 > rd1.xxx-local-xxx.local.53412: Flags [P.], seq 268:301, ack 122, win 65413, length 33: FTP: 425 Can't open data connection.
E..I.@.v.........
.....%AAU7.5tP...k/..425 Can't open data connection.
@openwrt-bot
Copy link
Author

ThomasCr:

I could resolv the problem:
i have created a new firewall rule, to allow statically inbound traffic from src port 20 to the ftp client. This looks ugly, but works when the client has a fixed ip address (and is the only client) - but maybe works also when remove the ftp client dst ip (let it open). Security is made on the outbound firewall. The OpenWRT Router has in front two other DSL Routers which are handelt with mwan3 package. The connection to this routers is not using NAT (I have set the informations into the routing table of the dsl routers).

Before this workaround was not needed and I have only updated OpenWRT and kept the same configuration.

My Firewall Rule (192.168.10.5 is rd1.xxx-local-xxx.local):

config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option name 'FTP-workaround'
option family 'ipv4'
option proto 'tcp'
option src_port '20'
option dest 'lan'
option dest_ip '192.168.10.5'

@openwrt-bot
Copy link
Author

jow-:

Please make sure that "kmod-ipt-raw" is installed as well, this is needed to bind conntrack helpers to streams using CT rules emitted by fw3.

@openwrt-bot
Copy link
Author

ThomasCr:

good to know... but should it not be a dependency, when it is needed?

root@gw:~# iptables -L -vn -t raw
Chain PREROUTING (policy ACCEPT 30217 packets, 23M bytes)
pkts bytes target prot opt in out source destination
16481 22M zone_lan_helper all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3: lan CT helper assignment */

Chain OUTPUT (policy ACCEPT 577 packets, 45780 bytes)
pkts bytes target prot opt in out source destination

Chain zone_lan_helper (1 references)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Amanda backup and archiving proto / udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3: FTP passive connection tracking / tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3: RAS proto tracking / udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3: Q.931 proto tracking / tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3: IRC DCC connection tracking / tcp dpt:6667 CT helper irc
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3: PPTP VPN connection tracking / tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3: SIP VoIP connection tracking / tcp dpt:5060 CT helper sip
187 12089 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3: SIP VoIP connection tracking / udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3: SNMP monitoring connection tracking / udp dpt:161 CT helper snmp
88 6743 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3: TFTP connection tracking */ udp dpt:69 CT helper tftp

@openwrt-bot
Copy link
Author

ThomasCr:

hi, today I could test it on the site which had the problem and it works.
Thanks!

Sorry to repeat, but why has this package no dependency or suggestion to kmod-ipt-raw?
Is it really useful without kmod-ipt-raw?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flyspray
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@openwrt-bot