From: Giovanni Cardone <g_cardone@libero.it>
To: netfilter@lists.samba.org
Subject: ip_conntrack_ftp doesn't work
Date: Fri, 14 Jun 2002 19:42:04 +0200 [thread overview]
Message-ID: <20020614194204.A232@rainbow> (raw)
On 2.4.18 with 1.2.7(1.2.6a too) ftp conntrack module doesn't work.
I'm trying to understand this using a simple script:
<begin script>
#!/bin/sh
ipt='/usr/local/sbin/iptables'
modprobe ip_tables
modprobe iptable_filter
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_LOG
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
$ipt -A OUTPUT -o ppp0 -j ACCEPT
$ipt -A INPUT -p tcp -m state --state RELATED -j ACCEPT
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
"NEW_NOT_SYN "
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -j LOG
$ipt -A OUTPUT -j LOG
$ipt -A FORWARD -j LOG
<end script>
The logs shows up some entries like these:
Jun 14 19:10:44 darkstar kernel: IN=ppp0 OUT= MAC= SRC=195.210.93.107
DST=151.26.80.131 LEN=60 TOS=0x08 PREC=0x00 TTL=58 ID=40516 DF PROTO=TCP
SPT=20 DPT=1039 WINDOW=32120 RES=0x00 SYN URGP=0
When I try to contact an ftp server, lsmod says:
darkstar\# lsmod | awk '/ftp/'
ip_conntrack_ftp 3120 0 (unused)
ip_conntrack 13264 1 [ip_conntrack_ftp]
So the syn about the data channel from the server port 20 to me is not RELATED
to the connections in the table. It's normal that lsmod shows up the
conntrack_ftp as unused? I was thinking no ... :)
What do I need to do?
Many Thanks
next reply other threads:[~2002-06-14 17:42 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-14 17:42 Giovanni Cardone [this message]
2002-06-24 19:16 ` ip_conntrack_ftp doesn't work Adam Young
2002-06-24 19:30 ` Antony Stone
2002-06-25 9:23 ` Giovanni Cardone
2002-06-25 8:52 ` Jozsef Kadlecsik
2002-06-25 9:27 ` Allowing limited broadcasts between LAN <-> DMZ? Chris
2002-06-25 11:42 ` Antony Stone
2002-06-25 9:31 ` ip_conntrack_ftp doesn't work Giovanni Cardone
2002-06-25 10:03 ` Jozsef Kadlecsik
2002-06-26 0:17 ` Giovanni Cardone
-- strict thread matches above, loose matches on Subject: below --
2002-06-14 17:42 Giovanni Cardone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020614194204.A232@rainbow \
--to=g_cardone@libero.it \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.