* ip_conntrack_ftp
@ 2003-10-13 21:22 Britt Tabor
2003-10-14 16:08 ` ip_conntrack_ftp Eric Leblond
0 siblings, 1 reply; 6+ messages in thread
From: Britt Tabor @ 2003-10-13 21:22 UTC (permalink / raw)
To: netfilter
I'm having a problem with ftp. My ftp-data is not passing through my firewall. I have configured the firewall for MASQ and ALL policys are set to ACCEPT (I know unsecure Im just trying to get it to work first). Anyway, I have ip_conntrack_ftp loaded and I can connect through the firewall and pwd but of course when I ls or data transfer I get errors. ftp client error Illegal PORT command or data connection refused. And dmesg says max number of expected connections. My iptables lists looks like this
bash-2.05# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
bash-2.05# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:x.x.x.x
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
lsmod:
bash-2.05# lsmod
Module Size Used by
ip_conntrack_ftp 3856 0 (unused)
vhub 9664 0 (unused)
iptable_nat 14432 1 (autoclean)
ip_conntrack 16656 2 (autoclean) [ip_conntrack_ftp iptable_nat]
iptable_filter 1760 1 (autoclean)
via-rhine 12768 1
eepro100 18432 1
mii 2160 0 [via-rhine eepro100]
pcmcia_core 40608 0
doc 146464 1
why does my ftp data still get block/dropped ???
if I switch the ftp client to passive it works fine but I need it to work both ways...
Britt Tabor
Edge Access, Inc.
btabor@edgeaccess.net
http://www.edgeaccess.net
813.594.6142 Voice
813.249.1126 Fax
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ip_conntrack_ftp
2003-10-13 21:22 ip_conntrack_ftp Britt Tabor
@ 2003-10-14 16:08 ` Eric Leblond
0 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2003-10-14 16:08 UTC (permalink / raw)
To: Britt Tabor; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 824 bytes --]
Le lun 13/10/2003 à 23:22, Britt Tabor a écrit :
> lsmod:
> bash-2.05# lsmod
> Module Size Used by
> ip_conntrack_ftp 3856 0 (unused)
> vhub 9664 0 (unused)
> iptable_nat 14432 1 (autoclean)
> ip_conntrack 16656 2 (autoclean) [ip_conntrack_ftp iptable_nat]
> iptable_filter 1760 1 (autoclean)
> via-rhine 12768 1
> eepro100 18432 1
> mii 2160 0 [via-rhine eepro100]
> pcmcia_core 40608 0
> doc 146464 1
>
> why does my ftp data still get block/dropped ???
the NAT is the problem the module "ip_nat_ftp" is not here to correctly
nat connection.
BR,
--
Eric Leblond
Nufw, Now User Filtering Works (http://www.nufw.org)
[-- Attachment #2: Ceci est une partie de message numériquement signée. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ip_conntrack_ftp
2005-06-24 8:01 ip_conntrack_ftp Nicolas Olivier
@ 2005-06-24 8:10 ` Nicolas Olivier
0 siblings, 0 replies; 6+ messages in thread
From: Nicolas Olivier @ 2005-06-24 8:10 UTC (permalink / raw)
To: netfilter
Just an update as schema is a total mess.
customer-1 172.16.0.2/30 ------------------- 172.16.0.1/30 (nas0) rt-1 (nas1) 10.0.0.2/30 --------------- 10.0.0.1/30 (nas1) rt-2
oustside ------------------- 10.10.60.23/24 (eth0) rt-1 (eth1) 10.0.0.5/30 --------------- 10.0.0.6/30 (eth1) rt-2
^ permalink raw reply [flat|nested] 6+ messages in thread
* ip_conntrack_ftp
@ 2005-06-24 8:01 Nicolas Olivier
2005-06-24 8:10 ` ip_conntrack_ftp Nicolas Olivier
0 siblings, 1 reply; 6+ messages in thread
From: Nicolas Olivier @ 2005-06-24 8:01 UTC (permalink / raw)
To: netfilter
Hi,
I've got the following architecture:
customer-1 rt-1 rt-2
______ ______ 10.0.0.2/30 10.0.0.1/30 ______
| | | |__________________________________| |
| |172.16.0.2/30 172.16.0.1/30| |nas1 nas1 | |
| |___________/ ... /______________| | | |
| | whatever nas0 | |10.0.0.5/30 10.0.0.6/30| |
| | | |__________________________________| |
|______| |______|eth1 eth1 |______|
eth0 |
10.10.60.23/24|
|
So customer-1 is connected to to rt-1 over ATM via a br2684.
When nas0 is created, the following is done:
ifconfig nas0 172.16.0.1 netmask 255.255.255.252 broadcast 172.16.0.3
ip route add table 1 172.16.0.0/30 dev nas0 proto static scope link src 172.16.0.1
ip route del 172.16.0.0/30 dev nas0 proto kernel scope link src 172.16.0.1
ip rule add dev nas0 lookup 1
For nas1:
ifconfig nas1 10.0.0.2 netmask 255.255.255.252 broadcast 10.0.0.3
ip route add default via 10.0.0.1 dev nas1 table 1
ip route del 10.0.0.0/30 dev nas1 proto kernel scope link src 10.0.0.2
ip route add table 1 10.0.0.0/30 dev nas1 proto static scope link src 10.0.0.2
ip rule add dev nas1 lookup 1
ip route del local 10.0.0.2 dev nas1 proto kernel scope host src 10.0.0.2
ip neighbour add 10.0.0.2 lladdr `ifmacget nas1` nud permanent dev nas1
ifmacget is a small binary returning the MAC address of the interface.
Idea behind this is to isolate customers related interfaces from main routing table in their own routing table.
So traffic comes from customers, goes through rt-1 via their dedicated routing table. It can goes to other customers that are isolated in that routing
table or goes through rt-2 via nas1.
rt-2 does its own stuff, like QoS or whatever. The point is that Internet related traffic goes back from rt-2 to rt-1 via the sub 10.0.0.4/30, and
then goes out via eth0.
So everything works like a charm in this architecture, except conntrack on active ftp.
I'm on customer-1, running a ftp client (lftp was used for the test) to connect to 1.1.1.1. Logging is correct, but when sending command fails, and
the ftp client runs a timer to try again sendind the command. After this first attempt, conntrack table contains those entries:
tcp 6 115 TIME_WAIT src=10.0.0.2 dst=1.1.1.1 sport=35045 dport=21 src=1.1.1.1 dst=10.10.60.23 sport=21 dport=1024 [ASSURED] use=1 mark=0
tcp 6 115 TIME_WAIT src=172.16.0.2 dst=1.1.1.1 sport=35045 dport=21 src=1.1.1.1 dst=10.0.0.2 sport=21 dport=35045 [ASSURED] use=1 mark=0
Then, when the timer fired, the command runs well, and everything works perfect. Those are the entries just after, the connection and a ls:
tcp 6 431996 ESTABLISHED src=10.0.0.2 dst=1.1.1.1 sport=35047 dport=21 src=1.1.1.1 dst=10.10.60.23 sport=21 dport=1025 [ASSURED] use=1
mark=0
tcp 6 116 TIME_WAIT src=10.0.0.2 dst=1.1.1.1 sport=35048 dport=42135 src=1.1.1.1 dst=10.10.60.23 sport=42135 dport=1025 [ASSURED] use=1
mark=0
tcp 6 116 TIME_WAIT src=172.16.0.2 dst=1.1.1.1 sport=35048 dport=42135 src=1.1.1.1 dst=10.0.0.2 sport=42135 dport=35048 [ASSURED] use=1
mark=0
tcp 6 431996 ESTABLISHED src=172.16.0.2 dst=1.1.1.1 sport=35047 dport=21 src=1.1.1.1 dst=10.0.0.2 sport=21 dport=35047 [ASSURED] use=1
mark=0
tcp 6 86 TIME_WAIT src=10.0.0.2 dst=1.1.1.1 sport=35045 dport=21 src=1.1.1.1 dst=10.10.60.23 sport=21 dport=1024 [ASSURED] use=1 mark=0
tcp 6 86 TIME_WAIT src=172.16.0.2 dst=1.1.1.1 sport=35045 dport=21 src=1.1.1.1 dst=10.0.0.2 sport=21 dport=35045 [ASSURED] use=1 mark=0
For me, it seems that the problem is due to ftp connection coming on rt-1 twice, but as other traffic runs well I'm a bit lost and I haven't got
enough knowledge in netfilter to fix this.
Any help or advice would be greatly appreciated, and if I was not clear enough, don't hesitate.
Thanks in advance.
Nicolas Olivier
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ip_conntrack_ftp
2002-10-07 12:09 ip_conntrack_ftp vlad f kropachew
@ 2002-10-10 1:40 ` Alistair Tonner
0 siblings, 0 replies; 6+ messages in thread
From: Alistair Tonner @ 2002-10-10 1:40 UTC (permalink / raw)
To: vlad; +Cc: netfilter
You must tell the conntrack module what port on which to
track connections.
modprobe -d ip_conntrack_ftp ports=21,20350
if using nat for this
modprobe -d ip_nat_ftp ports=21,20350
Alistair
On 2002.10.07 08:09 vlad f kropachew wrote:
> hello. please ask the following question. can i use the subject
> module for
> accepting passive ftp trafic on non-standart ports? i have the ftp on
> port
> 20350, and after make configure with pass ESTABLISHED and RELATED
> connection
> with different records, i see that ftp-data don't hit in RELATED rule,
> and
> log contain next record after data transfer:
>
> -------------
> DEFAULT-DROP IN=eth0 OUT=
> MAC=00:60:08:5e:b1:ff:00:60:08:10:4b:d3:08:00
>
> SRC=217.76.32.10 DST=217.76.32.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64
> ID=36164 DF
> PROTO=TCP SPT=1295 DPT=54245 WINDOW=32120 RES=0x00 SYN URGP=0
> -------------
>
> may be this module track only standart ftp-control port?
>
> vlad/
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* ip_conntrack_ftp
@ 2002-10-07 12:09 vlad f kropachew
2002-10-10 1:40 ` ip_conntrack_ftp Alistair Tonner
0 siblings, 1 reply; 6+ messages in thread
From: vlad f kropachew @ 2002-10-07 12:09 UTC (permalink / raw)
To: netfilter
hello. please ask the following question. can i use the subject module for
accepting passive ftp trafic on non-standart ports? i have the ftp on port
20350, and after make configure with pass ESTABLISHED and RELATED connection
with different records, i see that ftp-data don't hit in RELATED rule, and
log contain next record after data transfer:
-------------
DEFAULT-DROP IN=eth0 OUT= MAC=00:60:08:5e:b1:ff:00:60:08:10:4b:d3:08:00
SRC=217.76.32.10 DST=217.76.32.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36164 DF
PROTO=TCP SPT=1295 DPT=54245 WINDOW=32120 RES=0x00 SYN URGP=0
-------------
may be this module track only standart ftp-control port?
vlad/
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-06-24 8:10 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-13 21:22 ip_conntrack_ftp Britt Tabor
2003-10-14 16:08 ` ip_conntrack_ftp Eric Leblond
-- strict thread matches above, loose matches on Subject: below --
2005-06-24 8:01 ip_conntrack_ftp Nicolas Olivier
2005-06-24 8:10 ` ip_conntrack_ftp Nicolas Olivier
2002-10-07 12:09 ip_conntrack_ftp vlad f kropachew
2002-10-10 1:40 ` ip_conntrack_ftp Alistair Tonner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.