Discussion:
Manual Netfilter (IPTables) using ip_conntrack_ftp and ip_nat_ftp
L***@GMX.Net
2009-02-10 13:37:31 UTC
Permalink
Hi all,

Config: NO SUSEfirewall2 in use. IPTables are in a script and loaded with "bash rules.sh"

I got active FTP going (Ports 20 & 21), but as soon as I logged in on
an external FTP server and want to list the directory, I have no
response. I have gathered that the problem is with the passice FTP mode
it switches to. How do I cater for passive FTP with an IPTABLES command.
The active command in a rules.sh script is:

~~~~~~~ START (part of rules.sh script) ~~~~~~~~~~

#### variables #####

# net all
NET_ALL='0.0.0.0/0'

# external interface
IF_EXT='eth0'
IP_EXT='10.9.8.1'
NET_EXT='10.9.8.0/24'
BCAST_EXT='10.9.8.255'

# internal interface
IF_INT='eth1'
IP_INT='10.8.0.1'
NET_INT='10.8.0.0/24'
BCAST_INT='10.8.0.255'

......

# ports
p_high='1024:65535'
plist_ftp='20 21'

......

# FTP
for p_ftp in $plist_ftp; do
# use these rules for every port in $plist_ftp
iptables -A FORWARD -i $IF_INT -o $IF_EXT -p TCP -s $NET_INT -d $NET_ALL --sport $p_high --dport $p_ftp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IF_EXT -o $IF_INT -p TCP -s $NET_ALL -d $NET_INT --sport $p_ftp --dport $p_high -m state --state ESTABLISHED -j ACCEPT
done

~~~~~~ END ~~~~~~

I have seen references to loading the kernel modules ip_conntrack_ftp and ip_nat_ftp. Because I do not use SUSEfirewall2, the modules ip_conntrack_ftp and ip_nat_ftp does not load it seems. I do not find any trace of them because a with 'modprobe -v ip_conntrack_ftp' or a 'modprobe -v ip_nat_ftp' I get no response or verbose output.

With "/sbin/insmod ip_conntrack_ftp" I get:
insmod: can't read 'ip_conntrack_ftp': No such file or directory

I have done YaST searches on all available repos, rpm searches and oggoled; to no avail. Where do I get these modules for OpenSUSE 10.3?

TIA
Al
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
ne...
2009-02-10 14:13:09 UTC
Permalink
Post by L***@GMX.Net
Hi all,
[snip]
Post by L***@GMX.Net
I have seen references to loading the kernel modules ip_conntrack_ftp and ip_nat_ftp. Because I do not use SUSEfirewall2, the modules ip_conntrack_ftp and ip_nat_ftp does not load it seems. I do not find any trace of them because a with 'modprobe -v ip_conntrack_ftp' or a 'modprobe -v ip_nat_ftp' I get no response or verbose output.
insmod: can't read 'ip_conntrack_ftp': No such file or directory
I have done YaST searches on all available repos, rpm searches and oggoled; to no avail. Where do I get these modules for OpenSUSE 10.3?
These should be part of the modules that come with your kernel. Search
in /lib/modules/<kernel version> for them.
On my system I have nf_net_ftp.ko & nf_conntrack_ftp.ko. The
modules.dep in /lib/modules/<kernel version> lists
all the modules that were compiled for that kernel and the module's
dependencies. Try loading those instead and
see if it works.

HTH
ne...
--
Registered Linux User # 125653 (http://counter.li.org)
Now accepting personal mail for GMail invites.
Garry Shandling - "I'm dating a woman now who, evidently, is unaware of it."
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
L***@GMX.Net
2009-02-10 15:41:58 UTC
Permalink
Post by ne...
Post by L***@GMX.Net
Hi all,
[snip]
Post by L***@GMX.Net
I have seen references to loading the kernel modules ip_conntrack_ftp and ip_nat_ftp. Because I do not use SUSEfirewall2, the modules ip_conntrack_ftp and ip_nat_ftp does not load it seems. I do not find any trace of them because a with 'modprobe -v ip_conntrack_ftp' or a 'modprobe -v ip_nat_ftp' I get no response or verbose output.
insmod: can't read 'ip_conntrack_ftp': No such file or directory
I have done YaST searches on all available repos, rpm searches and oggoled; to no avail. Where do I get these modules for OpenSUSE 10.3?
These should be part of the modules that come with your kernel. Search
in /lib/modules/<kernel version> for them.
On my system I have nf_net_ftp.ko & nf_conntrack_ftp.ko. The
modules.dep in /lib/modules/<kernel version> lists
all the modules that were compiled for that kernel and the module's
dependencies. Try loading those instead and
see if it works.
HTH
ne...
Great, thanx ne...

I found one: nf_conntrack.ko

and loaded it with:
S:~ # modprobe -v nf_conntrack_ftp
S:~ # modprobe -l nf_conntrack_ftp
/lib/modules/2.6.22.17-0.1-default/kernel/net/netfilter/nf_conntrack_ftp.ko

passive mode still does not work. Do I have to reastart something after
the module is loaded?

I suppose I have to load it with the bash script when I load the
rules.sh, as it does not load because I do not start SuSEfirewall2

The orher modules with nf* are:

nf_conntrack.ko nf_conntrack_irc.ko
nf_conntrack_proto_gre.ko nf_conntrack_tftp.ko
nf_conntrack_amanda.ko nf_conntrack_netbios_ns.ko
nf_conntrack_proto_sctp.ko nfnetlink.ko
nf_conntrack_ftp.ko nf_conntrack_netlink.ko
nf_conntrack_sane.ko nfnetlink_log.ko
nf_conntrack_h323.ko nf_conntrack_pptp.ko
nf_conntrack_sip.ko nfnetlink_queue.ko

modprobe -v nf_net_ftp
FATAL: Module nf_net_ftp not found.

nf_net_ftp.ko is not there. Is it needed?

TIA
Al
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
David Haller
2009-02-10 18:13:30 UTC
Permalink
Hello,
Post by L***@GMX.Net
# FTP
for p_ftp in $plist_ftp; do
# use these rules for every port in $plist_ftp
iptables -A FORWARD -i $IF_INT -o $IF_EXT -p TCP -s $NET_INT -d $NET_ALL --sport $p_high --dport $p_ftp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IF_EXT -o $IF_INT -p TCP -s $NET_ALL -d $NET_INT --sport $p_ftp --dport $p_high -m state --state ESTABLISHED -j ACCEPT
done
Try with conntrack and '-m state --state [NEW,]RELATED,ESTABLISHED'.

HTH,
-dnh
--
Love your enemies: they'll go crazy trying to figure out what you're up
to. -- BSD fortune file
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
Loading...