Iptables: `nf_conntrack_ftp` not working under debian

Question

I've installed debian (on my raspberry, but the question is quite generic):

Linux raspberrypi 4.9.28+ #998 Mon May 15 16:50:35 BST 2017 armv6l GNU/Linux

And I'm trying to set up a simple anonymous and plaintext (no SSL) FTP server on it (vsftpd). The TCP port is the regular 21 FTP port, and I'm going to allow only passive mode.

I would like to have a strict firewall configuration, so I'm allowing in only ssh and the aforementioned FTP server.

For this purpose I'm using the conntrack module to allow only legit inbound connections. For this reason I loaded with modprobe the nf_conntrack_ftp module:

modprobe nf_conntrack_ftp

My iptables configuration:

# Generated by iptables-save v1.4.21 on Sat Aug 12 15:50:44 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [108:11273]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Aug 12 15:50:44 2017

With this configuration I'm not able to get the passive data connection to work properly.

I've both set up a tcpdump and added a -A INPUT j LOG rule just before the -A INPUT -j DROP: I can clearly see the inbound packets for the Iptablespassive data connection to be logged and rejected.

Some time ago I did pretty much the same setup on a Centos7 machine, where it worked correctly. Am I missing something important?

Thanks for any help :)

Answer 1

As suggested by @meuh in a comment, I had a look at the documentation hosted at https://home.regit.org/netfilter-en/secure-use-of-helpers/.

The paragraph "Using the CT target to refine security" explains:

One classic problem with helpers is the fact that helpers listen on predefined ports. If a service does not run on standard port, it is necessary to declare it. Before 2.6.34, the only method to do so was to use a module option. This was resulting in having a systematic parsing of the added port by the chosen helper. This was clearly suboptimal and the CT target has been introduced in 2.6.34. It allows to specify what helper to use for a specific flow. For example, let’s say we have a FTP server on IP address 1.2.3.4 running on port 2121.

To declare it, we can simply do

iptables -A PREROUTING -t raw -p tcp --dport 2121 \\
       -d 1.2.3.4 -j CT --helper ftp

It's not my case (since I'm using a regular port 21 for it) but still it seems to work if one wants to enable the ftp helper for inbound connections.

iptables -A PREROUTING -t raw -p tcp -m tcp --dport 21 -j CT --helper ftp

My (working) configuration is now:

# Generated by iptables-save v1.4.21 on Sat Aug 12 17:39:53 2017
*raw
:PREROUTING ACCEPT [445:37346]
:OUTPUT ACCEPT [375:44051]
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
COMMIT
# Completed on Sat Aug 12 17:39:53 2017
# Generated by iptables-save v1.4.21 on Sat Aug 12 17:39:53 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [169:17775]
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Aug 12 17:39:53 2017

It is probably worth noting how the document suggests to be wary of this kind of configuration, since the behaviour of the firewall depends on the user input.

I'm wondering if there are risks by facing a FTP server on the Open Internet in this way. In general FTP is known not to be the best protocol in terms of security, anyway…