From b1109b8af5f0a5e3ab7f0b68211d63ab0594c0ac Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 22 Apr 2015 18:10:59 +0200
Subject: [PATCH 1/1] Enhance the security of the netfilter conntrack helpers

This is suggested here
  https://home.regit.org/netfilter-en/secure-use-of-helpers/
and deprecated in the kernel (#10665).
---
 config/etc/modprobe.d/nf_conntrack.conf |  2 ++
 config/rootfiles/common/stage2          |  1 +
 src/initscripts/init.d/firewall         | 32 +++++++++++++++++++++++--
 3 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 config/etc/modprobe.d/nf_conntrack.conf

diff --git a/config/etc/modprobe.d/nf_conntrack.conf b/config/etc/modprobe.d/nf_conntrack.conf
new file mode 100644
index 0000000000..d5a1813063
--- /dev/null
+++ b/config/etc/modprobe.d/nf_conntrack.conf
@@ -0,0 +1,2 @@
+# Disable automatic conntrack helper assignment
+options nf_conntrack nf_conntrack_helper=0
diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
index 90e28d9c4c..b5a996bc48 100644
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -22,6 +22,7 @@ etc/mime.types
 etc/modprobe.d
 etc/modprobe.d/btmrvl_sdio.conf
 etc/modprobe.d/cfg80211.conf
+etc/modprobe.d/nf_conntrack.conf
 etc/modprobe.d/pcspeaker.conf
 etc/modules.conf
 etc/mtab
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 8ca02bc9d1..8040ed4038 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -21,9 +21,11 @@ iptables_init() {
 	iptables -F
 	iptables -t nat -F
 	iptables -t mangle -F
+	iptables -t raw -F
 	iptables -X
 	iptables -t nat -X
 	iptables -t mangle -X
+	iptables -t raw -X
 
 	# Set up policies
 	iptables -P INPUT DROP
@@ -84,10 +86,36 @@ iptables_init() {
 	iptables -A INPUT   -p tcp -j BADTCP
 	iptables -A FORWARD -p tcp -j BADTCP
 
-	# Connection tracking chain
+	# Connection tracking chains
 	iptables -N CONNTRACK
-	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
 	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
+	iptables -t raw -N CONNTRACK
+	iptables -t raw -A PREROUTING -j CONNTRACK
+
+	# Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/)
+
+	# SIP
+	iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+		-m helper --helper sip -j ACCEPT
+	for proto in udp tcp; do
+		iptables -t raw -A CONNTRACK -p "${proto}" --dport 5060 -j CT --helper sip
+	done
+
+	# FTP
+	iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+		-m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
+	iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp
+
+	# PPTP
+	iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+		-m helper --helper pptp -j ACCEPT
+	iptables -t raw -A CONNTRACK -p udp --dport 1723 -j CT --helper pptp
+
+	# TFTP
+	iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+		-m helper --helper tftp -j ACCEPT
+	iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp
 
 	# Fix for braindead ISP's
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-- 
2.39.2