ftp connection tracking

ftp connection tracking

[Axel Heinrici]

Hi

I have problem connecting to a ftp-server on a non-standard port. I 
remember there was an option to be set upon inserting the 
kernel-module. The documentation on module-options seems a little weird 
to me, and I can't find a clear answer.
The Situation is simple. My computer and the router/firewall have 
non-private IPs. Hence no Masquerading/SNAT is done. But the firewall 
has to be set up denying any connection going out except for services 
allowed explicitly. FTP is working fine (even active) when connecting 
to servers on port 21. 
What options do I have to aply when inserting the modules?

greetings
	Axel

Re: ftp connection tracking

[Cedric Blancher]

Le mar 29/07/2003 à 13:22, Axel Heinrici a écrit :
> I have problem connecting to a ftp-server on a non-standard port.
[...]
> What options do I have to aply when inserting the modules?

As far as I can remember :

	modprobe ip_conntrack_ftp port=21,2121

You can track 8 ports this way.

As a more general way to get modules options, use modinfo command.
Unfortunately, I do not have ip_conntrack_ftp built as module, but this
what you can get :

cbr@elendil:~$ modinfo bonding
filename:    /lib/modules/2.4.20/kernel/drivers/net/bonding.o
description: <none>
author:      <none>
license:     "GPL"
parm:        max_bonds int, description "Max number of bonded devices"
parm:        miimon int, description "Link check interval in
milliseconds"
parm:        mode int, description "Mode of operation : 0 for round
robin, 1 for active-backup, 2 for xor"
parm:        arp_interval int, description "arp interval in
milliseconds"
parm:        arp_ip_target string, description "arp target in n.n.n.n
form"
parm:        updelay int, description "Delay before considering link up,
in milliseconds"
parm:        downdelay int, description "Delay before considering link
down, in milliseconds"

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: ftp connection tracking (solved)

[Axel Heinrici]

Hi

On Tuesday 29 July 2003 13:41, Cedric Blancher wrote:
> Le mar 29/07/2003 à 13:22, Axel Heinrici a écrit :
> > I have problem connecting to a ftp-server on a non-standard port.
>
> [...]
>
> > What options do I have to aply when inserting the modules?
>
> As far as I can remember :
>
> 	modprobe ip_conntrack_ftp port=21,2121
>
> You can track 8 ports this way.

To avoid anyone is searching the archives and getting insane later.....
The correct parameter is "ports" and not "port" :-)

Axel

Re: ftp connection tracking

[Andrew J. Meader]

Hi,

I just ran into this just yesterday. I was forgetting to load 
ip_conntrack_ftp in my iptables init script. For grins, here is a snip 
from my init script:

# Firewall Modules ~ assuming modularized kernel
    /sbin/modprobe ip_tables
    /sbin/modprobe iptable_nat
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp

YMMV - your modules may vary :)

ajm

Axel Heinrici wrote:

>Hi
>
>I have problem connecting to a ftp-server on a non-standard port. I 
>remember there was an option to be set upon inserting the 
>kernel-module. The documentation on module-options seems a little weird 
>to me, and I can't find a clear answer.
>The Situation is simple. My computer and the router/firewall have 
>non-private IPs. Hence no Masquerading/SNAT is done. But the firewall 
>has to be set up denying any connection going out except for services 
>allowed explicitly. FTP is working fine (even active) when connecting 
>to servers on port 21. 
>What options do I have to aply when inserting the modules?
>
>greetings
>	Axel
>
>
>  
>

Re: ftp connection tracking

[Axel Heinrici]

Hi

On Tuesday 29 July 2003 14:52, Andrew J. Meader wrote:
> Hi,
>
> I just ran into this just yesterday. I was forgetting to load
> ip_conntrack_ftp in my iptables init script. For grins, here is a
> snip from my init script:

That is not the problem. The module is loaded. But the module doesn't 
track FTP-connections on non-standard ports. So FTP-connections to 
theses servers are not "allowed" by the "iptables .... -m --state 
RELATED,ESTABLISHED ...."-stuff.

>
> # Firewall Modules ~ assuming modularized kernel
>     /sbin/modprobe ip_tables
>     /sbin/modprobe iptable_nat
>     /sbin/modprobe ip_conntrack
>     /sbin/modprobe ip_conntrack_ftp
>
> YMMV - your modules may vary :)

greetings 
	Axel

Re: ftp connection tracking

[Andrew J. Meader]

Ah, I see your point. I don't think I will be of much help to you. 
However, I'm sure someone else in the community has walked this path 
before. Good luck.

ajm

ftp connection tracking

[David Luyens]

[-- Attachment #1: Type: text/plain, Size: 224 bytes --]

Hi, 
 
When a change the portnumber of my ftp deamon, the connection tracking
of netfilter does not work anymore.
Is it possible to say to netfilter to look at a different port (than 21)
for ftp connections?
 
David Luyens


[-- Attachment #2: Type: text/html, Size: 860 bytes --]

Re: ftp connection tracking

[Ralf Spenneberg]

Am Mit, 2003-08-27 um 19.36 schrieb David Luyens:
> Hi, 
>  
> When a change the portnumber of my ftp deamon, the connection tracking
> of netfilter does not work anymore.
> Is it possible to say to netfilter to look at a different port (than
> 21) for ftp connections?
Yes, see:
# modinfo ip_conntrack_ftp
filename:   
/lib/modules/2.4.20-20.9/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
description: <none>
author:      <none>
license:     "GPL"
parm:        ports int array (min = 1, max = 8)
parm:        loose int

You can define the ports when loading the ip_conntrack_ftp module.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: ftp connection tracking

[Alistair Tonner]

On August 27, 2003 01:36 pm, David Luyens wrote:
> Hi,
>
> When a change the portnumber of my ftp deamon, the connection tracking
> of netfilter does not work anymore.
> Is it possible to say to netfilter to look at a different port (than 21)
> for ftp connections?
>
> David Luyens



	Not sure what the kernel command line would be but if you use modules 
	to load
	ip_conntrack_ftp
	ip_nat_ftp
	
	modinfo ip_conntrack_ftp

	you pass the new port as an option to the module when it loads.
	
	insmod ip_nat_ftp ports=xx,xx

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!