ip_conntrack_ftp

ip_conntrack_ftp

[Britt Tabor]

I'm having a problem with ftp. My ftp-data is not passing through my firewall. I have configured the firewall for MASQ and ALL policys are set to ACCEPT (I know unsecure Im just trying to get it to work first). Anyway, I have ip_conntrack_ftp loaded and I can connect through the firewall and pwd but of course when I ls or data transfer I get errors. ftp client error Illegal PORT command or data connection refused. And dmesg says max number of expected connections.  My iptables lists looks like this

bash-2.05# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
bash-2.05# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  anywhere             anywhere           to:x.x.x.x

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  


lsmod:
bash-2.05# lsmod
Module                  Size  Used by
ip_conntrack_ftp        3856   0  (unused)
vhub                    9664   0  (unused)
iptable_nat            14432   1  (autoclean)
ip_conntrack           16656   2  (autoclean) [ip_conntrack_ftp iptable_nat]
iptable_filter          1760   1  (autoclean)
via-rhine              12768   1 
eepro100               18432   1 
mii                     2160   0  [via-rhine eepro100]
pcmcia_core            40608   0 
doc                   146464   1

why does my ftp data still get block/dropped ???

if I switch the ftp client to passive it works fine but I need it to work both ways...

 
 
Britt Tabor
Edge Access, Inc.
btabor@edgeaccess.net
http://www.edgeaccess.net
813.594.6142 Voice
813.249.1126 Fax
 
 
 

Re: ip_conntrack_ftp

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 824 bytes --]

Le lun 13/10/2003 à 23:22, Britt Tabor a écrit :
> lsmod:
> bash-2.05# lsmod
> Module                  Size  Used by
> ip_conntrack_ftp        3856   0  (unused)
> vhub                    9664   0  (unused)
> iptable_nat            14432   1  (autoclean)
> ip_conntrack           16656   2  (autoclean) [ip_conntrack_ftp iptable_nat]
> iptable_filter          1760   1  (autoclean)
> via-rhine              12768   1 
> eepro100               18432   1 
> mii                     2160   0  [via-rhine eepro100]
> pcmcia_core            40608   0 
> doc                   146464   1
> 
> why does my ftp data still get block/dropped ???
the NAT is the problem the module "ip_nat_ftp" is not here to correctly
nat connection.

BR,
-- 
Eric Leblond
Nufw, Now User Filtering Works (http://www.nufw.org)

[-- Attachment #2: Ceci est une partie de message numériquement signée. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: ip_conntrack_ftp

[Nicolas Olivier]

Just an update as schema is a total mess.

customer-1  172.16.0.2/30 -------------------  172.16.0.1/30 (nas0) rt-1 (nas1) 10.0.0.2/30 --------------- 10.0.0.1/30 (nas1) rt-2


oustside                  ------------------- 10.10.60.23/24 (eth0) rt-1 (eth1) 10.0.0.5/30 --------------- 10.0.0.6/30 (eth1) rt-2

ip_conntrack_ftp

[Nicolas Olivier]

Hi,

I've got the following architecture:


customer-1                                  rt-1                                      rt-2
 ______                                    ______ 10.0.0.2/30            10.0.0.1/30 ______
|      |                                  |      |__________________________________|      |
|      |172.16.0.2/30        172.16.0.1/30|      |nas1                        nas1  |      |
|      |___________/  ...  /______________|      |                                  |      |
|      | whatever                    nas0 |      |10.0.0.5/30            10.0.0.6/30|      |
|      |                                  |      |__________________________________|      |
|______|                                  |______|eth1                         eth1 |______|
                                       eth0  |
                               10.10.60.23/24|
                                             |

So customer-1 is connected to to rt-1 over ATM via a br2684.

When nas0 is created, the following is done:

ifconfig nas0 172.16.0.1 netmask 255.255.255.252 broadcast 172.16.0.3
ip route add table 1 172.16.0.0/30 dev nas0 proto static scope link src 172.16.0.1
ip route del 172.16.0.0/30 dev nas0 proto kernel scope link src 172.16.0.1
ip rule add dev nas0 lookup 1

For nas1:

ifconfig nas1 10.0.0.2 netmask 255.255.255.252 broadcast 10.0.0.3
ip route add default via 10.0.0.1 dev nas1 table 1
ip route del 10.0.0.0/30 dev nas1 proto kernel scope link src 10.0.0.2
ip route add table 1 10.0.0.0/30 dev nas1 proto static scope link src 10.0.0.2
ip rule add dev nas1 lookup 1
ip route del local 10.0.0.2 dev nas1 proto kernel scope host src 10.0.0.2
ip neighbour add 10.0.0.2 lladdr `ifmacget nas1` nud permanent dev nas1

ifmacget is a small binary returning the MAC address of the interface.

Idea behind this is to isolate customers related interfaces from main routing table in their own routing table.
So traffic comes from customers, goes through rt-1 via their dedicated routing table. It can goes to other customers that are isolated in that routing
table or goes through rt-2 via nas1.
rt-2 does its own stuff, like QoS or whatever. The point is that Internet related traffic goes back from rt-2 to rt-1 via the sub 10.0.0.4/30, and
then goes out via eth0.

So everything works like a charm in this architecture, except conntrack on active ftp.

I'm on customer-1, running a ftp client (lftp was used for the test) to connect to 1.1.1.1. Logging is correct, but when sending command fails, and
the ftp client runs a timer to try again sendind the command. After this first attempt, conntrack table contains those entries:

tcp      6 115 TIME_WAIT src=10.0.0.2 dst=1.1.1.1 sport=35045 dport=21 src=1.1.1.1 dst=10.10.60.23 sport=21 dport=1024 [ASSURED] use=1 mark=0
tcp      6 115 TIME_WAIT src=172.16.0.2 dst=1.1.1.1 sport=35045 dport=21 src=1.1.1.1 dst=10.0.0.2 sport=21 dport=35045 [ASSURED] use=1 mark=0

Then, when the timer fired, the command runs well, and everything works perfect. Those are the entries just after, the connection and a ls:

tcp      6 431996 ESTABLISHED src=10.0.0.2 dst=1.1.1.1 sport=35047 dport=21 src=1.1.1.1 dst=10.10.60.23 sport=21 dport=1025 [ASSURED] use=1
mark=0
tcp      6 116 TIME_WAIT src=10.0.0.2 dst=1.1.1.1 sport=35048 dport=42135 src=1.1.1.1 dst=10.10.60.23 sport=42135 dport=1025 [ASSURED] use=1
mark=0
tcp      6 116 TIME_WAIT src=172.16.0.2 dst=1.1.1.1 sport=35048 dport=42135 src=1.1.1.1 dst=10.0.0.2 sport=42135 dport=35048 [ASSURED] use=1
mark=0
tcp      6 431996 ESTABLISHED src=172.16.0.2 dst=1.1.1.1 sport=35047 dport=21 src=1.1.1.1 dst=10.0.0.2 sport=21 dport=35047 [ASSURED] use=1
mark=0
tcp      6 86 TIME_WAIT src=10.0.0.2 dst=1.1.1.1 sport=35045 dport=21 src=1.1.1.1 dst=10.10.60.23 sport=21 dport=1024 [ASSURED] use=1 mark=0
tcp      6 86 TIME_WAIT src=172.16.0.2 dst=1.1.1.1 sport=35045 dport=21 src=1.1.1.1 dst=10.0.0.2 sport=21 dport=35045 [ASSURED] use=1 mark=0

For me, it seems that the problem is due to ftp connection coming on rt-1 twice, but as other traffic runs well I'm a bit lost and I haven't got
enough knowledge in netfilter to fix this.
Any help or advice would be greatly appreciated, and if I was not clear enough, don't hesitate.
Thanks in advance.

Nicolas Olivier

Re: ip_conntrack_ftp

[Alistair Tonner]

	You must tell the conntrack module what port on which to
	track connections.

	modprobe -d ip_conntrack_ftp ports=21,20350
	if using nat for this
	modprobe -d ip_nat_ftp ports=21,20350

	Alistair


On 2002.10.07 08:09 vlad f kropachew wrote:
> hello. please ask the following question.  can i use the subject
> module for
> accepting passive ftp trafic on non-standart ports? i have the ftp on
> port
> 20350, and after make configure with pass ESTABLISHED and RELATED
> connection
> with different records, i see that ftp-data don't hit in RELATED rule,
> and
> log contain next record after data transfer:
> 
> -------------
> DEFAULT-DROP IN=eth0 OUT= 
> MAC=00:60:08:5e:b1:ff:00:60:08:10:4b:d3:08:00
> 
> SRC=217.76.32.10 DST=217.76.32.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64
> ID=36164 DF
> PROTO=TCP SPT=1295 DPT=54245 WINDOW=32120 RES=0x00 SYN URGP=0
> -------------
> 
> may be this module track only standart ftp-control port?
> 
> vlad/
> 
> 
> 

ip_conntrack_ftp

[vlad f kropachew]

hello. please ask the following question.  can i use the subject module for 
accepting passive ftp trafic on non-standart ports? i have the ftp on port 
20350, and after make configure with pass ESTABLISHED and RELATED connection 
with different records, i see that ftp-data don't hit in RELATED rule, and 
log contain next record after data transfer:

-------------
DEFAULT-DROP IN=eth0 OUT= MAC=00:60:08:5e:b1:ff:00:60:08:10:4b:d3:08:00 
SRC=217.76.32.10 DST=217.76.32.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36164 DF 
PROTO=TCP SPT=1295 DPT=54245 WINDOW=32120 RES=0x00 SYN URGP=0
-------------

may be this module track only standart ftp-control port? 

vlad/