Netfilter Helpers
Tom
Eastep
2012
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
Helpers - Introduction
There are a number of applications that create connections
dynamically between a client and server. These connections use temporary
TCP or UDP ports, so static configuration of firewall rules to allow those
connections would require a very lax firewall configuration. To deal with
these problem applications, Netfilter supports the concept of a
helper. Each helper monitors traffic to/from the
default primary port used by the application and opens the firewall to
accept temporary connections created by the primary session.
There are helpers for the following applications; default ports
monitored by each helper are listed in parentheses:
Amanda (UDP 10080)
FTP (TCP 21)
H323 (UDP 1719, TCP 1720)
IRC (TCP 6667)
Netbios-NS (UDP 137)
PPTP (TCP 1729)
SANE (TCP 6566)
SIP (UDP 5060)
SNMP (UDP 161)
TFTP (UDP 69)
Helper Module Loading
In a modular kernel, each helper is typically packaged as two
kernel modules. One module handles connection tracking where NAT isn't
involved and the other module handles NAT. For example, the FTP helper
consists of these two modules (kernels 2.6.20 and later):
nf_conntrack_ftp
nf_nat_ftp
Note that the naming convention is
nf_conntrack_application and
nf_nat_application; more about that
below.
Prior to Shorewall 4.5.7, helper modules were not auto-loaded and
must be loaded explicitly using the modprob or
insmod utilities. Beginning with Shorewall 4.5.7,
these modules are loaded when Shorewall is determining the capabilities
of your system.
Many of the modules allow parameters to be specified when the
module is loaded. Among the common parameters is the ports parameter
that lists one or more ports that the module is to monitor. This allows
running the application on a non-standard port.
Iptables and Helpers
Iptables supports two ways of interacting with modules:
Helper Match
This match (-m helper --helper
name) allows selection of packets from
connections monitored or created by the named helper.
CT Target
This target (-j CT --helper name
...) , introduced in the 3.4 kernels, allows for explicit
association of a helper with a connection.
It is important to note that the name used in iptables is not
always the same as the name in the kernel module. Names used in iptables
are shown in the following table:
Name of kernel module
Name recognized by iptables
nf_conntrack_amanda
amanda
nf_conntrack_ftp
ftp
nf_conntrack_h323
RAS (udp 1719), Q.931 (tcp
1720)
nf_conntrack_irc
irc
nf_conntrack_netbios_ns
netbios-ns
nf_conntrack_pptp
pptp
nf_conntrack_sane
sane
nf_conntrack_sip
sip
nf_conntrack_snmp
snmp
nf_conntrack_tftp
tftp
Netfilter helpers present an opportunity for attackers to attempt
to breach your firewall by IP address spoofing; See https://home.regit.org/netfilter-en/secure-use-of-helpers/
for a description of the Netfilter facilities available to meet these
attacks.
Shorewall Support for Helpers
Shorewall includes support for helpers is several areas. These areas
are covered in the sections below.
Module Loading
Shorewall includes support for loading the helper modules as part
of its support for loading kernel modules in general. There are several
options in shorewall.conf (5) that deal with kernel module
loading:
MODULESDIR
This option specifies a comma-separated list of directories
where Shorewall will look for kernel modules to load.
MODULE_SUFFIX
Lists the possible suffixes for module names.
LOAD_HELPERS_ONLY
Controls whether Shorewall should load only the helpers and
leave the other modules to the auto-loader. This option
dramatically reduces the time to process a shorewall
start or shorewall restart
command.
DONT_LOAD
This is a comma-separated list of modules that you
specifically don't want Shorewall to load.
HELPERS
This option was added in Shorewall 4.5.7 and lists the
modules to be enabled for association with connections
(comma-separated). This option is fully functional only on systems
running kernel 3.5 or later.
The module names allowed in this list are amanda, ftp, h323,
irc, netbios-ns, pptp, sane, sip,
snmp and tftp. If you don't want a particular helper
module loaded, then:
List it in the DONT_LOAD option; and
Explicitly list those helpers that you do want in
HELPERS.
AUTOHELPERS
This option was also added in Shorewall 4.5.7. When enabled
on systems that support the CT Target capability, it provides
automatic association of helpers to connections in the same manner
as in pre-3.5 kernels (and with the same vulnerabilities).
The helper modules to be loaded are listed in the file
/usr/share/shorewall/helpers. If you wish to
customize that file to load only a subset of the helpers or to specify
module parameters, then copy the file to /etc/shorewall/
and modify the copy. That way, your changes won't be
overwritten the next time that Shorewall is updated on your
system.
On systems running a a kernel earlier than 3.5, not all of the
helpers can be totally disabled. The following modules can be disabled
by using the parameter ports=0 in
/etc/shorewall/helpers:
ftp
irc
sane
sip
tftp
After disabling one or more helpers using this method, you
must:
Unload the related module(s).
Restart Shorewall (use the -c option (e.g., shorewall
restart -c) if you have AUTOMAKE=Yes in shorewall.conf
(5))..
Note that if you choose to reboot your system to unload the
modules, then if you have CT:helper entries in shorewall-conntrack (5)
that refer to the module(s) and you have AUTOMAKE=Yes in shorewall.conf (5), then
Shorewall will fail to start at boot time.
Iptables
The iptables helper match is supported by Shorewall in the form of
the HELPER column in shorewall-mangle (5) and
shorewall-tcrules
(5).
The CT target is supported directly in shorewall-conntrack
(5).
In these files, Shorewall supports the same module names as
iptables; see the table above.
Beginning with Shorewall 4.5.7, there is a HELPER column in shorewall-rules (5). In the
NEW section, this column allows the explicit association of a helper
with connections allowed by a given rules. The column may contain any of
the helper names recognized by iptables (see the table above). In the
RELATED section, the rule will only match the packet if the related
connection has the named helper attached.
Also added in Shorewall 4.5.7 is the HELPER action in shorewall-rules (5). HELPER
rules associate the helper listed in the HELPER column with connections
that match the rule. A destination zone should not be specified in
HELPER rules.
Capabilities
The output of shorewall show capabilities has
two entries for each of the helpers listed above that can be disabled by
adding ports=0 in
/etc/shorewall/helpers.
shorewall show capabilities
Amanda Helper: Available
FTP Helper: Not available
FTP-0 Helper: Available
IRC Helper: Not available
IRC-0 Helper: Available
Netbios_ns Helper: Available
H323 Helper: Not available
PPTP Helper: Available
SANE Helper: Not available
SANE-0 Helper: Available
SNMP Helper: Available
TFTP Helper: Not available
TFTP-0 Helper: Available
iptables -S (IPTABLES_S): Available
Basic Filter (BASIC_FILTER): Available
CT Target (CT_TARGET): Available
Kernel Version (KERNELVERSION): 30404
Capabilities Version (CAPVERSION): 40507
The above output is produced when this /etc/shorewall/helpers file
is used on a system running kernel 3.4.4:
loadmodule nf_conntrack_ftp ports=0
loadmodule nf_conntrack_irc ports=0
loadmodule nf_conntrack_netbios_ns
loadmodule nf_conntrack_sip ports=0
loadmodule nf_conntrack_tftp ports=0
loadmodule nf_conntrack_sane ports=0
The reason for the double capabilities is that when ports=0 is specified, the iptables name of the
helper gets '-0' added to it. So in order for the compiler to generate
the correct iptables commands, it needs to know if ports=0 was specified for each of the helprs that
support it.
Notice that most of the other helpers are available, even though
their modules were not loaded. That's because auto-loading occurs during
capability detection on those modules whose iptables name matches the
module name.
Kernel >= 3.5 and Shorewall >= 4.5.7
While the AUTOHELPER option described above provides for seamless
migration to kernel 3.5 and beyond, we recommend setting AUTOHELPER=No at
the first opportunity after migrating. Additionally, you should:
Use the HELPER action and the HELPER column in shorewall-rules (5) to
attach helpers to only those connections that you need to
support.
If you run one or more servers (such as an FTP server) that
interact with helpers, you should consider adding rules to the RELATED
section of shorewall-rules (5) to
limit the scope of the helper. Suppose that your Linux FTP server is
in zone dmz and has address 70.90.191.123.
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(2)
SECTION RELATED
ACCEPT all dmz:70.90.191.123 32768: ; helper=ftp # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
ACCEPT dmz:70.90.191.123 all tcp 1024: 20 ; helper=ftp # active FTP to dmz server
ACCEPT loc,dmz,$FW net tcp - 1024: ; helper=ftp # passive FTP to net
ACCEPT net all tcp 1024: 20 ; helper=ftp # active FTP from net
DROP:info all all ; helper=ftp #
SECTION NEW
HELPER all net tcp 21 ; helper=ftp
ACCEPT all dmz:70.90.191.123 tcp 21 ; helper=ftp