* newbie question : ip_conntrack_ftp
@ 2004-03-23 15:24 Mihael Kukec
2004-03-23 16:48 ` Antony Stone
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Mihael Kukec @ 2004-03-23 15:24 UTC (permalink / raw)
To: netfilter
Hello!
I'm using latest stable Debian, with 2.4.18 kernel. Unfortunately it does
not have ip_conntrack_ftp module included and I need it. Can someone give
me short instructions on that to do? Where to get source, and if there
are, some special instructions for compiling etc...
TIA
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: newbie question : ip_conntrack_ftp
2004-03-23 15:24 newbie question : ip_conntrack_ftp Mihael Kukec
@ 2004-03-23 16:48 ` Antony Stone
2004-03-23 17:16 ` Victor Julien
2004-03-23 17:22 ` Cedric Blancher
2 siblings, 0 replies; 11+ messages in thread
From: Antony Stone @ 2004-03-23 16:48 UTC (permalink / raw)
To: netfilter
On Tuesday 23 March 2004 3:24 pm, Mihael Kukec wrote:
> Hello!
>
> I'm using latest stable Debian, with 2.4.18 kernel. Unfortunately it does
> not have ip_conntrack_ftp module included and I need it. Can someone give
> me short instructions on that to do? Where to get source, and if there
> are, some special instructions for compiling etc...
It's a kernel compile option when you "make config" or "make menuconfig" etc.
You don't need any extra source code - just the standard kernel source.
Regards,
Antony,
--
All matter in the Universe can be placed into one of two categories:
1. Things which need to be fixed.
2. Things which need to be fixed once you've had a few minutes to play with
them.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: newbie question : ip_conntrack_ftp
2004-03-23 15:24 newbie question : ip_conntrack_ftp Mihael Kukec
2004-03-23 16:48 ` Antony Stone
@ 2004-03-23 17:16 ` Victor Julien
2004-03-24 7:25 ` Mihael Kukec
2004-03-24 7:28 ` Mihael Kukec
2004-03-23 17:22 ` Cedric Blancher
2 siblings, 2 replies; 11+ messages in thread
From: Victor Julien @ 2004-03-23 17:16 UTC (permalink / raw)
To: Netfilter List; +Cc: mkukec
You're probably running the 'bf24' kernel (which kame with the
bootdisk). If you use 'kernel-image-2.4.18-1-i686' you do have the
modules. So you can use 'apt-get install kernel-image-2.4.18-1-i686' (if
you have an i686). Beware though, you need to modify your lilo.conf
because of initrd (instructions will be on the screen when you install).
Regards,
Victor
Mihael Kukec wrote:
>
> Hello!
>
>
> I'm using latest stable Debian, with 2.4.18 kernel. Unfortunately it does
> not have ip_conntrack_ftp module included and I need it. Can someone give
> me short instructions on that to do? Where to get source, and if there
> are, some special instructions for compiling etc...
>
>
>
>
> TIA
>
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: newbie question : ip_conntrack_ftp
2004-03-23 17:16 ` Victor Julien
@ 2004-03-24 7:25 ` Mihael Kukec
2004-03-24 16:44 ` Victor Julien
2004-03-24 7:28 ` Mihael Kukec
1 sibling, 1 reply; 11+ messages in thread
From: Mihael Kukec @ 2004-03-24 7:25 UTC (permalink / raw)
Cc: Netfilter List
Victor Julien wrote:
> You're probably running the 'bf24' kernel (which kame with the
> bootdisk). If you use 'kernel-image-2.4.18-1-i686' you do have the
> modules. So you can use 'apt-get install kernel-image-2.4.18-1-i686' (if
> you have an i686). Beware though, you need to modify your lilo.conf
> because of initrd (instructions will be on the screen when you install).
Kernel that came originally was 2.2.20. I upgraded to 2.4.18-686. There
is no such image (kernel-image-2.4.18-1-i686) in latest stable or
testing packages, but there is kernel-image-2.4.25-1-686 in testing. I
will try with that...
Mihael
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: newbie question : ip_conntrack_ftp
2004-03-24 7:25 ` Mihael Kukec
@ 2004-03-24 16:44 ` Victor Julien
0 siblings, 0 replies; 11+ messages in thread
From: Victor Julien @ 2004-03-24 16:44 UTC (permalink / raw)
To: Netfilter List
Hi Mihael,
In debian stable there is a package 'kernel-image-2.4.18-1-686' (note:
there is no 'i' with 686, my mistake ;).
This is in stable, so you probably want it instead of the 'testing' variant.
Regards,
Victor
Mihael Kukec wrote:
> Victor Julien wrote:
>
>> You're probably running the 'bf24' kernel (which kame with the
>> bootdisk). If you use 'kernel-image-2.4.18-1-i686' you do have the
>> modules. So you can use 'apt-get install kernel-image-2.4.18-1-i686'
>> (if you have an i686). Beware though, you need to modify your
>> lilo.conf because of initrd (instructions will be on the screen when
>> you install).
>
>
> Kernel that came originally was 2.2.20. I upgraded to 2.4.18-686. There
> is no such image (kernel-image-2.4.18-1-i686) in latest stable or
> testing packages, but there is kernel-image-2.4.25-1-686 in testing. I
> will try with that...
>
>
> Mihael
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: newbie question : ip_conntrack_ftp
2004-03-23 17:16 ` Victor Julien
2004-03-24 7:25 ` Mihael Kukec
@ 2004-03-24 7:28 ` Mihael Kukec
1 sibling, 0 replies; 11+ messages in thread
From: Mihael Kukec @ 2004-03-24 7:28 UTC (permalink / raw)
To: Netfilter List
Victor Julien wrote:
> You're probably running the 'bf24' kernel (which kame with the
> bootdisk). If you use 'kernel-image-2.4.18-1-i686' you do have the
> modules. So you can use 'apt-get install kernel-image-2.4.18-1-i686' (if
> you have an i686). Beware though, you need to modify your lilo.conf
> because of initrd (instructions will be on the screen when you install).
Kernel that came originally was 2.2.20. I upgraded to 2.4.18-686. There
is no such image (kernel-image-2.4.18-1-i686) in latest stable or
testing packages, but there is kernel-image-2.4.25-1-686 in testing. I
will try with that...
Mihael
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: newbie question : ip_conntrack_ftp
2004-03-23 15:24 newbie question : ip_conntrack_ftp Mihael Kukec
2004-03-23 16:48 ` Antony Stone
2004-03-23 17:16 ` Victor Julien
@ 2004-03-23 17:22 ` Cedric Blancher
2 siblings, 0 replies; 11+ messages in thread
From: Cedric Blancher @ 2004-03-23 17:22 UTC (permalink / raw)
To: Mihael Kukec; +Cc: netfilter
Le mar 23/03/2004 à 16:24, Mihael Kukec a écrit :
> I'm using latest stable Debian, with 2.4.18 kernel. Unfortunately it does
> not have ip_conntrack_ftp module included and I need it. Can someone give
> me short instructions on that to do? Where to get source, and if there
> are, some special instructions for compiling etc...
Which 2.4.18 kernel ? Kernel-image-2.4.18 packages contain
ip_conntrack_file.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 11+ messages in thread
* newbie question : ip_conntrack_ftp
@ 2004-03-23 15:13 Mihael Kukec
2004-03-24 3:11 ` Alexander Samad
0 siblings, 1 reply; 11+ messages in thread
From: Mihael Kukec @ 2004-03-23 15:13 UTC (permalink / raw)
To: netfilter
Hello!
Excuse me for my poor English...
I'm using latest stable Debian, with 2.4.18 kernel. Unfortunately it does
not have ip_conntrack_ftp module included and I need it. Can someone give
me short instructions on that to do? Where to get code, if there are some
special instructions for compiling etc..
TIA
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: newbie question : ip_conntrack_ftp
2004-03-23 15:13 Mihael Kukec
@ 2004-03-24 3:11 ` Alexander Samad
2004-03-24 13:04 ` Mihael Kukec
0 siblings, 1 reply; 11+ messages in thread
From: Alexander Samad @ 2004-03-24 3:11 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 798 bytes --]
On Tue, Mar 23, 2004 at 04:13:52PM +0100, Mihael Kukec wrote:
>
> Hello!
>
> Excuse me for my poor English...
>
> I'm using latest stable Debian, with 2.4.18 kernel. Unfortunately it does
> not have ip_conntrack_ftp module included and I need it. Can someone give
> me short instructions on that to do? Where to get code, if there are some
> special instructions for compiling etc..
can you run
COLUMNS=200 dpkg -l 'kernel-im*' | grep ii
this will show with kernel image you have install
then run
dpkg -L '<insert the package name from above>' | grep -i conn
this should show you all the conntrack modules in the packages.
Some else stated in another thread that the BF2.4 package doesn't come
with all the conn track modules
A
>
>
> TIA
>
>
>
>
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: newbie question : ip_conntrack_ftp
2004-03-24 3:11 ` Alexander Samad
@ 2004-03-24 13:04 ` Mihael Kukec
0 siblings, 0 replies; 11+ messages in thread
From: Mihael Kukec @ 2004-03-24 13:04 UTC (permalink / raw)
To: netfilter
On Wed, 24 Mar 2004, Alexander Samad wrote:
> On Tue, Mar 23, 2004 at 04:13:52PM +0100, Mihael Kukec wrote:
> > not have ip_conntrack_ftp module included and I need it. Can someone give
> then run
> dpkg -L '<insert the package name from above>' | grep -i conn
> this should show you all the conntrack modules in the packages.
> Some else stated in another thread that the BF2.4 package doesn't come
> with all the conn track modules
Well. tih was the outcome:
sphere:~# dpkg -L kernel-image-2.4.18-686 | grep -i conn
/lib/modules/2.4.18-686/kernel/net/ipv4/netfilter/ip_conntrack.o
/lib/modules/2.4.18-686/kernel/net/ipv4/netfilter/ip_conntrack_irc.o
/lib/modules/2.4.18-686/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
sphere:~# insmod ip_conntrack_ftp
Using /lib/modules/2.4.18-686/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
sphere:~#
Module was all the time here. Sorry for stupid question :)
Mihael
^ permalink raw reply [flat|nested] 11+ messages in thread
* Ip_conntrack_rpc_tcp
@ 2004-03-23 14:44 Stindl Wolfgang EXT
2004-03-23 15:05 ` newbie question : ip_conntrack_ftp Mihael Kukec
0 siblings, 1 reply; 11+ messages in thread
From: Stindl Wolfgang EXT @ 2004-03-23 14:44 UTC (permalink / raw)
To: 'netfilter@lists.netfilter.org'
[-- Attachment #1: Type: text/plain, Size: 6627 bytes --]
Hi,
I have some trouble with ip_conntrack_rpc_tcp.
It seems, that it doesn't find the right rpc-packets when making an nfs mount.
Do you have any ideas what I'm doing wrong?
Thanks a lot
Wolfi
Here are the rules
iptables -F
iptables -F PREROUTING -t nat
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp --dport 111 -j LOG
iptables -A OUTPUT -p tcp --sport 111 -j LOG
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -m rpc -m state --state NEW -j ACCEPT
iptables -A INPUT -p UDP --dport 111 -m rpc -m state --state NEW -j ACCEPT
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
Here is some debugging output
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC=10.8.15.12 DST=10.8.15.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21635 DF PROTO=TCP SPT=716 DPT=111 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC=10.8.15.10 DST=10.8.15.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=111 DPT=716
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC=10.8.15.12 DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21636 DF PROTO=TCP SPT=716 DPT=111 WINDOW=5840 RES=0x00 ACK URGP=0
This is the RPC Call
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet is from the initiator. [cont]
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: TCP header length is; tcplen=76 .. (I added this to debugging-output
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: tcph id; tcph->doff=8 .. (I added this to debugging-output
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet length is not correct. [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC=10.8.15.12 DST=10.8.15.10 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=21637 DF PROTO=TCP SPT=716 DPT=111 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC=10.8.15.10 DST=10.8.15.12 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=14112 DF PROTO=TCP SPT=111 DPT=716 WINDOW=5792 RES=0x00 ACK URGP=0
This should be the RPC-REPLY
As you can see: tcplen-(tcph->doff*4) != 32
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet is from the receiver. [cont]
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: TCP header length is; tcplen=432 .. (I added this to debugging-output)
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: tcph id; tcph->doff=8 .. (I added this to debugging-output)
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet length is not correct. [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC=10.8.15.10 DST=10.8.15.12 LEN=452 TOS=0x00 PREC=0x00 TTL=64 ID=14113 DF PROTO=TCP SPT=111 DPT=716
WINDOW=5792 RES=0x00 ACK PSH URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC=10.8.15.12 DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21638 DF PROTO=TCP SPT=716 DPT=111 WINDOW=6432 RES=0x00 ACK URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet is from the receiver. [cont]
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: TCP header length is; tcplen=68 ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: tcph id; tcph->doff=8 ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet length is not correct. [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC=10.8.15.10 DST=10.8.15.12 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=14114 DF PROTO=TCP SPT=111 DPT=716
WINDOW=5792 RES=0x00 ACK PSH URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC=10.8.15.12 DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21639 DF PROTO=TCP SPT=716 DPT=111 WINDOW=6432 RES=0x00 ACK URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC=10.8.15.12 DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21640 DF PROTO=TCP SPT=716 DPT=111 WINDOW=6432 RES=0x00 ACK FIN URGP=0
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC=10.8.15.12 DST=10.8.15.10 LEN=108 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=717 DPT=32771 LEN=88
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC=10.8.15.10 DST=10.8.15.12 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=14115 DF PROTO=TCP SPT=111 DPT=716
WINDOW=5792 RES=0x00 ACK FIN URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
This is the NFS mount which will be dropped.
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC=10.8.15.12 DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21641 DF PROTO=TCP SPT=716 DPT=111 WINDOW=6432 RES=0x00 ACK URGP=0
[-- Attachment #2: Type: text/html, Size: 10343 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2004-03-24 16:44 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-23 15:24 newbie question : ip_conntrack_ftp Mihael Kukec
2004-03-23 16:48 ` Antony Stone
2004-03-23 17:16 ` Victor Julien
2004-03-24 7:25 ` Mihael Kukec
2004-03-24 16:44 ` Victor Julien
2004-03-24 7:28 ` Mihael Kukec
2004-03-23 17:22 ` Cedric Blancher
-- strict thread matches above, loose matches on Subject: below --
2004-03-23 15:13 Mihael Kukec
2004-03-24 3:11 ` Alexander Samad
2004-03-24 13:04 ` Mihael Kukec
2004-03-23 14:44 Ip_conntrack_rpc_tcp Stindl Wolfgang EXT
2004-03-23 15:05 ` newbie question : ip_conntrack_ftp Mihael Kukec
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.