RE: ip_conntrack

RE: ip_conntrack

[George Vieira]

ip connection tracking is what it says and using rules like

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

makes the existing connections automatically excepted, like an SSH connection will continue to work after the first SYN is accepted as the connection would be established and ip_conntrack will keep a record of the connection while it's still up.

Without ip_conntrack, the --state module would not work... correct me if I'm wrong guys.. ;)

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: netfilter_user [mailto:netfilter_user@o2.pl]
Sent: Thursday, May 22, 2003 6:18 AM
To: netfilter@lists.netfilter.org
Subject: ip_conntrack


Hello everyone,

I have got very simply and basic quastion.
What ip_cpnntrack and ip_cpnntrack_ftp realy do? Tracking connection
or something more?

  

-- 
Best regards,
 mailto:netfilter_user@o2.pl

Help- can't ftp

[Steven Mugassa]

[-- Attachment #1: Type: text/plain, Size: 458 bytes --]

Hello everyone,

I have got Windows machines behind a Red Hat 9.0 Linux router (with SNAT +
CIPE-VPN). The problem i'm getting is that the machines behind that router
can't open ftp sites. The error message is "__ Invalid PORT command" (and
for some sites there is one more error message " __ command not
understood"). However, the router itself can open ftp sites. 

Can this be a problem with ip_conntrack or something else? 
Please advice

Thanks,
Steven

[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 1664 bytes --]

Re: Help- can't ftp

[Philip Craig]

Steven Mugassa wrote:
> I have got Windows machines behind a Red Hat 9.0 Linux router (with SNAT +
> CIPE-VPN). The problem i'm getting is that the machines behind that router
> can't open ftp sites. The error message is "__ Invalid PORT command" (and
> for some sites there is one more error message " __ command not
> understood"). However, the router itself can open ftp sites. 
> 
> Can this be a problem with ip_conntrack or something else? 

Have you loaded the ftp conntrack and nat modules?

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

RE: Help- can't ftp

[Steven Mugassa]

Thanks for your advice,

I have now loaded the ftp conntrack and nat modules and it is now working
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

Nevertheless, the problem i'm getting now is that after sometime then i do
the 'lsmod command', i don't see the two modules anymore(they disappear
after sometime, don't know exactly after how many hours but it is like if i
load today, the next day the modules disappear)

Please advice,
Thanks,
Steven

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Philip Craig
Sent: Monday, May 26, 2003 3:46 AM
To: Steven Mugassa
Cc: netfilter@lists.netfilter.org
Subject: Re: Help- can't ftp


Steven Mugassa wrote:
> I have got Windows machines behind a Red Hat 9.0 Linux router (with SNAT +
> CIPE-VPN). The problem i'm getting is that the machines behind that router
> can't open ftp sites. The error message is "__ Invalid PORT command" (and
> for some sites there is one more error message " __ command not
> understood"). However, the router itself can open ftp sites.
>
> Can this be a problem with ip_conntrack or something else?

Have you loaded the ftp conntrack and nat modules?

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

--
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances