From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter ML <netfilter@lists.netfilter.org>
Subject: Re: interesting behavior of ftp helper
Date: Mon, 20 Aug 2007 11:38:16 +0200 [thread overview]
Message-ID: <46C96108.1090609@plouf.fr.eu.org> (raw)
In-Reply-To: <46C8CEE4.2050304@solutti.com.br>
Hello,
Leonardo Rodrigues Magalhães a écrit :
[...]
> forward_interna_externa is the created table that receives all
> traffic flowing from internal to external network. It has, among several
> others, the following rules:
>
> -A forward_interna_externa -s 192.168.0.0/255.255.255.0 -p tcp -m tcp
> --dport 20:21 -j ACCEPT
Port 20 is not needed. The FTP conntrack helper and RELATED/ESTABLISHED
states will take care of this.
> -A forward_interna_externa -s 192.168.0.0/255.255.255.0 -p tcp -m state
> --state RELATED -j ACCEPT
> -A forward_interna_externa -j LOG --log-prefix "bloq_forward_externa:"
> --log-level 6 --log-tcp-sequence --log-tcp-options --log-ip-options
> -A forward_interna_externa -j DROP
>
> ip_conntrack_ftp and ip_nat_ftp modules are correctly loaded.
>
> So, with these rules and all i have read, i was expecting that 20 and
> 21 TCP ports would handle the active FTP connections and
> ip_conntrack_ftp+RELATED rule would handle the passive FTP connections.
Not exactly. Port 21 is the control connection and is always used
whether you're in passive of active mode. Both passive and active data
connection are RELATED to it. Note that port 20 is used as a source port
by the server to initiate a data connection in active mode. It is not a
listening port waiting to accept incoming connections.
> But ..... altough i was doing what i tought to be the correct rules
> and loading the needed modules, i couldnt passive FTP. Active FTP was
> OK, but passive wasn't. My connections were blocked and no packets were
> hitting the RELATED rule:
>
> Aug 15 15:20:02 fenix kernel: bloq_forward_externa:IN=eth0 OUT=eth1
> SRC=192.168.0.54 DST=200.182.XX.YY LEN=40 TOS=0x00 PREC=0x00 TTL=127
> ID=756 DF PROTO=TCP SPT=1113 DPT=4846 SEQ=1838929699 ACK=3064370605
> WINDOW=65535 RES=0x00 ACK URGP=0
You must be wrong. This is an ACK packet, following a SYN/ACK packet
sent by the server in response to a SYN packet you sent to establish the
passive data connection and which had the RELATED state. Check the
counters. If the RELATED rule did not catch the SYN packet, then another
rule did. Once the data connection has been established (after the SYN),
all its subsequent packets have the ESTABLISHED state, as any other
connection.
[...]
> The other theory i got is that only the FIRST packet of a helper
> identified connection is RELATED and all the other packets that belong
> to that RELATED connection are indeed ESTABLISHED ones.
Correct. In related connections the RELATED state replaces NEW.
next prev parent reply other threads:[~2007-08-20 9:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-19 23:14 interesting behavior of ftp helper Leonardo Rodrigues Magalhães
2007-08-20 9:38 ` Pascal Hambourg [this message]
2007-08-20 19:15 ` Leonardo Rodrigues Magalhães
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46C96108.1090609@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox