mangle rule to mark ftp connections

cusco · July 15, 2010, 3:38pm

Hi!

We have a mikrotik with two WAN connections.
We use mangle rules to mark connection, and routes that take marked connections, thus separating different marked connections to different gateways.

We have rules like:

[admin@PCMEDIC_LX] /ip firewall mangle> print all
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; OUTPUT - WEB - Vodafone
     chain=prerouting action=mark-routing new-routing-mark=to_vodafone2 passthrough=no protocol=tcp src-address=192.168.2.0/24 dst-address=!213.63.137.0/24 dst-port=80 

 1   ;;; OUTPUT - HTTPS - Vodafone
     chain=prerouting action=mark-routing new-routing-mark=to_vodafone2 passthrough=no protocol=tcp src-address=192.168.2.0/24 dst-address=!213.63.137.0/24 dst-port=443 

 2   ;;; OUTPUT - SSH Vodafone
     chain=prerouting action=mark-routing new-routing-mark=to_vodafone2 passthrough=no protocol=tcp src-address=192.168.2.0/24 dst-address=!213.63.137.0/24 dst-port=22

These all work quite good.

Now, passive FTP connections are initially made trough port 21, but then it necgociates a different port.
We now need a mangle rule that will mark ftp connections and related connections, else the ftp server will not allow us in.

ftpd log:

Jul 11 12:08:05 your-insight ftpd: pam_unix(proftpd:session): session opened for user cusco by (uid=0)
Jul 11 12:08:05 your-insight ftpd[25910]: your-insight.eu (33.83.136.95.rev.vodafone.pt[95.136.83.33]) - USER cusco: Login successful.
Jul 11 12:08:05 your-insight ftpd[25910]: your-insight.eu (33.83.136.95.rev.vodafone.pt[95.136.83.33]) - Preparing to chroot to directory '/home/cusco'
Jul 11 12:08:15 your-insight ftpd[25910]: your-insight.eu (33.83.136.95.rev.vodafone.pt[95.136.83.33]) - SECURITY VIOLATION: Passive connection from 213.141.21.122 rejected.

Can anybody help?

Thanks in advnace.

fewi · July 15, 2010, 3:48pm

I may be mistaken, but I don’t think you can do that. There is no syntax for “mark connections related to some other connections”. Your best bet would be to let that stuff fall through to the default gateway.

cusco · July 15, 2010, 3:50pm

Ouch…

Isn’t there some ip_conntrack_ftp module , or any way to keep track of ftp connections..

There must be some way…

fewi · July 15, 2010, 3:59pm

Conntrack does track FTP connections and recognizes passive FTP data channels as ‘related’, but I can’t think of any way to mark a connection based on that. In other words, you can determine that a connection is related, but you cannot determine what connection it is related to. If you’re happy to put all traffic that conntrack can discover as related you can mark routing based on just ‘connection-state=related’, but then you have to put all protocols that have helpers (such as SIP, PPTP etc.) through the same WAN circuit.

Maybe I’m wrong and someone will correct this, or have some clever way to get around the limitations.

Sob · July 15, 2010, 6:24pm

It’s possible to set connection-type=ftp in firewall rule. But it won’t work with more and more often used FTP over SSL, because helper can’t detect anything there.