Re: iptables rule to block FTP-NAT-Helper-Traffic

---

• From: Pascal Hambourg <boite-a-spam@xxxxxxxxxxxxxxx>
• Date: Wed, 26 Nov 2008 17:34:07 +0100

---

Hello,

Kevin Kempfer a écrit :

I just got aware of the FTP-NAT-Helper security problem. Here's what happens:

- I visit a page with a hostile java applet

Here is the actual security problem.

- the applet calls home with what seems to be a legitimate FTP session
- the remote server responds with "sure, I'll send that data on port 5900" (which just happens to be the standard VNC port)

Actually it's the local FTP client which chooses and tells the remote server which port to connect to. This happens in active mode only. In passive mode, the server tells the client which port to connect to.

- the router opens port 5900 for that remote host to this local host, and that remote host now has access to a local port that it should not.

Right.

Is there a way to block this kind of traffic?

Sure. As I wrote, the security problem happens only with FTP active mode, so you can block active mode data connections, which are incoming connections. You can identify packets related to the FTP conntrack/NAT helper with the "helper" match.

iptables -A FORWARD -i external_interface -m state --state RELATED \
-m helper ftp -j DROP

In order to be effective, this rule must be placed before the general "-m state ESTABLISHED,RELATED -j ACCEPT" rule.

For a more fine-grained filtering, you can also DROP FTP-related connection attempts to ports ranges that you know are used by other applications.

Even simpler : DROP incoming packets to ports you don't want to be open from the internet before the general state rule.

Anyway, is this really efficient ? Couldn't the hostile applet just connect locally to the VNC port and relay the communication with the hostile server ?
.

---

• Follow-Ups:
  • Re: iptables rule to block FTP-NAT-Helper-Traffic
    • From: Andrew Gideon
  • Re: iptables rule to block FTP-NAT-Helper-Traffic
    • From: Kevin Kempfer

• References:
  • iptables rule to block FTP-NAT-Helper-Traffic
    • From: Kevin Kempfer

• Prev by Date: Re: Ubuntu wireless networking problem since 8.10
• Next by Date: Re: iptables rule to block FTP-NAT-Helper-Traffic
• Previous by thread: iptables rule to block FTP-NAT-Helper-Traffic
• Next by thread: Re: iptables rule to block FTP-NAT-Helper-Traffic
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: FTP error using a MAC ... Yes, you are using active mode, but the firewall/NAT can't take care of it ... behind a firewall, you then told me to change to active mode? ... In active mode the FTP client connects from a random unprivileged port N ... (microsoft.public.inetserver.iis.ftp) Help me run Cerberus FTP Server plz! ... I want to un an ftp server Cerberus to be exact in passsive mode cause ... in active mode i cant cause the client's firewall would most probably ... So i open port 21 and poer 20 for comamnds and data respectively. ... range from 1025-3500 opposed to port 20 which works in active mode. ... (alt.os.windows-xp) Re: Help with reading strace ... Check for general network malaise by floodpinging, ... So far that problem is only present when connecting to port 1521 on ... the remote server. ... (Fedora) Firewall causes false postives in port scans? ... I ran a Nessus scan on a remote server recently and it detected port 21 ... When manually connecting to the remote server via FTP client, ... remote server has closed connection ... (comp.security.firewalls) RE: There was a SMTP communication problem ... Telnet to Port 25 to Test SMTP Communication ... remote server that is performing a reverse DNS lookup prior to accepting ... SMTP mail. ... (microsoft.public.exchange2000.win2000)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)