nf_conntrack/nf_conntrack_ftp

ichrispa · 12-26-2009, 11:47 AM

Hello everyone,

first off, this is not a "this doesn't work, help me fix it"-thread. It works. My question is: why?

In detail: I wanted to set up an ftp server (vsftpd, port 21 for ftp-control, 40000 to 40100 for passive ftp). With nf_conntrack loaded, I modified my iptables as follows:

Code:

iptables -I INPUT -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -p tcp -m mutliport --dports 40000:40100 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp -m mutliport --sports 40000:40100 -m state --state RELATED,ESTABLISHED -j ACCEPT

All chain policies are set to DROP.

Now, when I connect to port 21 (using an ftp client and passive mode) from a different host, /proc/net/nf_conntrack confirms that the connection is established:

Code:

ipv4     2 tcp      6 431991 ESTABLISHED src=10.0.52.1 dst=10.0.62.100 sport=57359 dport=21 packets=9 bytes=508 src=10.0.62.100 dst=10.0.52.1 sport=21 dport=57359 packets=6 bytes=465 [ASSURED] mark=0 secmark=0 use=1

However, when i try to get data/listings, the connection hangs. netstat confirms a passive port on the server is open, but the client can't connect. Why can't he connect? Shouldn't this connection be considered RELATED?

The problem is fixed entirely when i load the nf_conntrack_ftp module. The only iptables rule needed is the --dport 21 rule in the INPUT chain.

What does the nf_conntrack_ftp module do differently then applying similar rules than the ones I issued to iptables above?

Thanks in advance,

Chris

GrapefruiTgirl · 12-26-2009, 12:22 PM

I cannot tell you precisely what the ftp-conntrack module does differently than the regular conntrack module (I suppose it monitors the control connection?? To see what ports will be used for the data??); however I can tell you this:

1) with active FTP, the control connection on port-21 qualifies as ESTABLISHED, RELATED, and so does the data connection on whatever ports you run that on.

2) With passive ftp, the control connection on p-21 is still ESTABLISHED, RELATED, but the data connection is not; it is neither ESTABLISHED nor RELATED, or the transfer/connection will hang.

Something else:

1) Maybe you just made a typo up there in your post, but in your rules, you write "mutliport" instead of "multiport" -- in real situation, it might cause problem

Sasha

ichrispa · 12-26-2009, 03:34 PM

thx GrapefruiTgirl, that was a typo when i wrote the post.

I'll simply accept the fact that the nf_conntrack_ftp module resolved my problem as I expected for now. I'll post more details if I ever find spare time to read the sources of the module

Chenchu · 09-26-2011, 05:38 AM

I also got into this problem today, and the reason you need nf_conntrack_ftp module loaded as well is because the nf_conntrack module USES the nf_conntrack_ftp module to track ftp connections. it's like parent and son relation, nf_conntrack is a general tracking module, and if you want it to track ftp as well you need to load another module which is USED BY the nf_conntrack.

you simply can see this with lsmod.