Connection not recognized as RELATED

Connection not recognized as RELATED

[Richard Simon]

I am trying to set up an FTP server behind a NAT'ing firewall.
Active FTP works, but passive does not.
It appears that conntrack is not recognizing the passive connection as related.
when I look at the client (using a sniffer), I can see the initial handshake take place and then I see the FTP server send back the new port for the passive connection.  The client sends a SYN to the new port, but gets no reply.
I can see the SYN arrive at the firewall, but it does not get picked up by any rules.  my iptables has a log rule to show if its classified as NEW, RELATED, or ESTABLISHED, and it shows a log entry as NEW.  I have a log rule at the end of the PREROUTING chain to show that the packet falls all the way through, which it does.
if I examine /proc/net/ip_conntrack, I can see the original ftp connection listed as established.

If I add a rule to DNAT any new connections on ports 1024:65535 and forward those to my ftp server, then passive ftp works.  When I try that only for RELATED, ESTABLISHED connections, it fails.

why doesnt ip_conntrack recognize the passive connection as RELATED?

any clues for further investigation would be much appreciated. I'm stumped.


here are the config details:

I am running CentOS 4.0 w/ kernel 2.6.9-5.ELsmp #1 SMP.
I am using iptables package iptables-1.2.11-3.1.RHEL4

I have these ip modules loaded (according to lsmod)
ip_nat_ftp, ip_conntrack_ftp, iptable_mangle, iptable_nat , ipt_LOG , ipt_state, ip_conntrack, iptable_filter, ip_tables 

here are my iptables entries (the IP's have been changed). 77.77.77.4 is my firewall, 192.168.0.101 is my ftp server, 88.88.88.1 is the computer I'm using on the outside to test. eth2 is the outside interface, eth0 is inside.

filter
:INPUT DROP [61:10719]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:allowed - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 192.168.4.0/255.255.255.0 -i eth0 -j ACCEPT 
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT 
-A INPUT -s 192.168.4.1 -i lo -j ACCEPT 
-A INPUT -s 77.77.77.4 -i lo -j ACCEPT 
-A FORWARD -s 88.88.88.1 -j LOG --log-prefix "FOR:"
-A FORWARD -d 88.88.88.1 -j LOG --log-prefix "FOR:"
-A FORWARD -i eth0 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.4.101 -i eth2 -o eth0 -p tcp -m tcp --sport 1024:65535 --dpo
rt 21 -m state --state NEW -j ACCEPT  
-A OUTPUT -d 88.88.88.1 -j LOG --log-prefix "OUT:"
-A OUTPUT -s 127.0.0.1 -j ACCEPT 
-A OUTPUT -s 192.168.4.1 -j ACCEPT 
-A OUTPUT -s 77.77.77.4 -j ACCEPT 

COMMIT
# Completed on Wed Mar  1 15:21:42 2006
# Generated by iptables-save v1.2.11 on Wed Mar  1 15:21:42 2006
*nat
:PREROUTING ACCEPT [3575:986022]
:POSTROUTING ACCEPT [229:17699]
:OUTPUT ACCEPT [42:7467]
-A PREROUTING -s 88.88.88.1 -m state --state ESTABLISHED -j LOG --log-prefix 
"DNEST:"
-A PREROUTING -d  88.88.88.1 -m state --state RELATED -j LOG --log-prefix "DNR
EL:"
-A PREROUTING -s  88.88.88.1 -m state --state RELATED -j LOG --log-prefix "DNR
EL:"
-A PREROUTING -d 88.88.88.1 -m state --state ESTABLISHED -j LOG --log-prefix 
"DNEST:"
-A PREROUTING -s  88.88.88.1 -m state --state NEW -j LOG --log-prefix "DNNEW:"
-A PREROUTING -d 88.88.88.1 -m state --state NEW -j LOG --log-prefix "DNNEW:"
-A PREROUTING -d 77.77.77.4 -i eth2 -p tcp -m tcp --sport 1024:65535 --dport 21 
-j DNAT --to-destination 192.168.4.101:21  
-A PREROUTING -s 88.88.88.1 -j LOG --log-prefix "DNFAIL:"
-A POSTROUTING -o eth2 -j SNAT --to-source 77.77.77.4 
COMMIT
# Completed on Wed Mar  1 15:21:42 2006
# Generated by iptables-save v1.2.11 on Wed Mar  1 15:21:42 2006
*mangle
:PREROUTING ACCEPT [58120:48534001]
:INPUT ACCEPT [3805:423984]
:FORWARD ACCEPT [51890:47349762]
:OUTPUT ACCEPT [1662:246025]
:POSTROUTING ACCEPT [53552:47595787]
COMMIT              



Richard Simon
Giant Killer Robots
361 Brannan St.
San Francisco, CA 94107
(415) 777-2477

Re: Connection not recognized as RELATED

[ludi]

I had settled  the problem last time,with help.:)
First of all, you must insmod ftp_conntrack(nat_ftp_conntrack....etc).
The module work for processing the ftp connection.
And then, you should bind ftp on 21port.The module only can track the
21port by default.If you want to set other port,you must edit the
source.
You may setup your rule to allow the ftp pass.
Did your ftp work?
:)

Re: Connection not recognized as RELATED

[Aleksander]

ludi wrote:
> The module only can track the
> 21port by default.If you want to set other port,you must edit the
> source.

Are you sure? I remember seeing an option like port=XXX for the modules, 
their names are:
ip_conntrack_ftp
ip_nat_ftp

Just google this for example:
http://www.google.com/search?complete=1&hl=en&lr=&q=%22modprobe+ip_conntrack_ftp+port%22&btnG=Search

Alex

Re: Connection not recognized as RELATED

[Steven M Campbell]

ludi wrote:
> I had settled  the problem last time,with help.:)
> First of all, you must insmod ftp_conntrack(nat_ftp_conntrack....etc).
> The module work for processing the ftp connection.
> And then, you should bind ftp on 21port.The module only can track the
> 21port by default.If you want to set other port,you must edit the
> source.
> You may setup your rule to allow the ftp pass.
> Did your ftp work?
> :)
>   
ip_conntrack_ftp takes an array of ports. 

 # modinfo ip_conntrack_ftp
filename:       
/lib/modules/2.6.13-15.8-default/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
license:        GPL
author:         Rusty Russell <rusty@rustcorp.com.au>
description:    ftp connection tracking helper
vermagic:       2.6.13-15.8-default 586 REGPARM gcc-4.0
supported:      yes
depends:        ip_conntrack
srcversion:     4461DB3F80F52AA3EF2374F
parm:           loose:int
parm:           ports:array of int


So you can, for example:
    modprobe ip_conntrack_ftp ports=21,33,454

RE: Connection not recognized as RELATED

[Richard Simon]

I dont think you looked at my configuration included in the message.
I have those modules loaded (as you can see from my lsmod output) and I have ftp working on port 21 (which you can infer from my DNAT rule).
I'm just not getting the conntrack to recognize the SYN for the passive connection to be RELATED.

anyone else have a guess?

Richard Simon
Giant Killer Robots
361 Brannan St.
San Francisco, CA 94107
(415) 777-2477


> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of ludi
> Sent: Thursday, March 02, 2006 6:05 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Connection not recognized as RELATED
> 
> 
> I had settled  the problem last time,with help.:)
> First of all, you must insmod ftp_conntrack(nat_ftp_conntrack....etc).
> The module work for processing the ftp connection.
> And then, you should bind ftp on 21port.The module only can track the
> 21port by default.If you want to set other port,you must edit the
> source.
> You may setup your rule to allow the ftp pass.
> Did your ftp work?
> :)
> 

Re: Connection not recognized as RELATED

[ludi]

BTW,I think you should use the module----ip_nat_ftp.o

On 3/3/06, Richard Simon <rlsimon@killerobot.com> wrote:
> I dont think you looked at my configuration included in the message.
> I have those modules loaded (as you can see from my lsmod output) and I have ftp working on port 21 (which you can infer from my DNAT rule).
> I'm just not getting the conntrack to recognize the SYN for the passive connection to be RELATED.
>
> anyone else have a guess?
>
> Richard Simon
> Giant Killer Robots
> 361 Brannan St.
> San Francisco, CA 94107
> (415) 777-2477
>
>
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of ludi
> > Sent: Thursday, March 02, 2006 6:05 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Re: Connection not recognized as RELATED
> >
> >
> > I had settled  the problem last time,with help.:)
> > First of all, you must insmod ftp_conntrack(nat_ftp_conntrack....etc).
> > The module work for processing the ftp connection.
> > And then, you should bind ftp on 21port.The module only can track the
> > 21port by default.If you want to set other port,you must edit the
> > source.
> > You may setup your rule to allow the ftp pass.
> > Did your ftp work?
> > :)
> >
>

RE: Connection not recognized as RELATED

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Richard Simon
> Sent: Friday, March 03, 2006 10:48 AM
> To: ludi; netfilter@lists.netfilter.org
> Subject: RE: Connection not recognized as RELATED
> 
> I dont think you looked at my configuration included in the message.
> I have those modules loaded (as you can see from my lsmod 
> output) and I have ftp working on port 21 (which you can 
> infer from my DNAT rule).
> I'm just not getting the conntrack to recognize the SYN for 
> the passive connection to be RELATED.
> 
> anyone else have a guess?
> 
> Richard Simon
> Giant Killer Robots
> 361 Brannan St.
> San Francisco, CA 94107
> (415) 777-2477
> 

I would start by filtering in the filter table. These rules

-A PREROUTING -d 77.77.77.4 -i eth2 -p tcp -m tcp --sport 1024:65535
--dport 21 -j DNAT --to-destination 192.168.4.101:21
-A FORWARD -d 192.168.4.101 -i eth2 -o eth0 -p tcp -m tcp --sport
1024:65535 --dport 21 -m state --state NEW -j ACCEPT 

should be

-A PREROUTING -d 77.77.77.4 -i eth2 -j DNAT --to-destination
192.168.4.101
-A FORWARD -p tcp -d 192.168.4.101 -i eth2 -o eth0 -p tcp -m tcp --dport
21 -m state --state NEW  -j ACCEPT

There is no need to filter twice and conntrack makes unprivileged source
port filtering unnecessary. Also, filtering in nat is a bad idea, for
reasons that are explained somewhere in the archive but if memory serves
only the first packet in a connection which is matched by a nat rule
actually passes through the nat table.

Hope that helps. If not, you can always open up the destination ports
for the passive range on your FTP server. Also, if you use FTPS (over
SSL) conntrack can't see the PASV port request and won't have a clue
what to do, so you have to open those ports anyway.

Derick Anderson