Home » International » Russian » Conntrack ftp
Conntrack ftp [message #35325] |
Tue, 17 March 2009 18:00 |
xido
Messages: 8 Registered: November 2007
|
Junior Member |
|
|
Не работает пассивный режим, такое чувство что модуль ip_conntrack_ftp не работает внутри VE.
На HN:
~# lsmod
Module Size Used by
ipt_REJECT 13952 1
ipt_owner 10880 3
kvm_intel 57960 0
kvm 191752 1 kvm_intel
vzethdev 23808 0
vznetdev 32776 10
simfs 14320 5
vzrst 155688 0
vzcpt 129976 0
tun 23168 2 vzrst,vzcpt
vzdquota 58864 5 [permanent]
vzmon 58520 9 vzethdev,vznetdev,vzrst,vzcpt
vzdev 13064 6 vzethdev,vznetdev,vzdquota,vzmon
ipt_REDIRECT 11008 0
nf_nat_irc 11648 0
nf_conntrack_irc 16544 1 nf_nat_irc
nf_nat_ftp 12544 0
iptable_nat 19716 2
nf_nat 31376 4 ipt_REDIRECT,nf_nat_irc,nf_nat_ftp,iptable_nat
xt_helper 11648 0
xt_state 11392 26
nf_conntrack_ftp 19240 1 nf_nat_ftp
nf_conntrack_ipv4 36880 30 iptable_nat
nf_conntrack 101600 9 nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,iptable_nat,nf_nat,xt_helper,xt_state,nf_conntrack_ftp,nf_conntrack_ipv4
xt_length 10752 0
ipt_LOG 15872 0
ipt_ttl 10752 0
xt_tcpmss 11264 0
ipt_TOS 11136 0
ipt_tos 10496 0
xt_multiport 12288 12
xt_limit 12032 0
iptable_mangle 13824 5
iptable_filter 13696 7
ip_tables 33256 3 iptable_nat,iptable_mangle,iptable_filter
ipv6 342016 81 vzrst,vzcpt,vzmon
bridge 73128 0
raid1 34944 1
md_mod 96924 2 raid1
dm_snapshot 28256 0
dm_mirror 34432 0
xt_tcpudp 12288 37
x_tables 33672 16 ipt_REJECT,ipt_owner,ipt_REDIRECT,iptable_nat,xt_helper,xt_state,xt_length,ipt_LOG,ipt_ttl,xt_tcpmss,ipt_TOS,ipt_tos,xt_multiport,xt_limit,ip_tables,xt_tcpudp
eeprom 17296 0
lm85 43684 0
hwmon_vid 12416 1 lm85
thermal 27168 0
e1000 176068 0
psmouse 53788 0
button 18336 0
ipmi_msghandler 51704 0
processor 49768 1 thermal
e1000e 139948 0
serio_raw 16516 0
evdev 22912 0
pcspkr 12288 0
sg 49432 0
floppy 76904 0
scsi_wait_scan 10112 0
dm_mod 79736 9 dm_snapshot,dm_mirror
usbhid 43616 0
hid 52544 1 usbhid
usb_storage 90304 0
libusual 31072 1 usb_storage
sd_mod 40448 7
sr_mod 27684 0
ide_disk 26496 0
ide_generic 9856 0 [permanent]
ide_cd 43040 0
cdrom 48936 2 sr_mod,ide_cd
ide_core 144152 3 ide_disk,ide_generic,ide_cd
uhci_hcd 37408 0
ehci_hcd 48908 0
usbcore 178608 6 usbhid,usb_storage,libusual,uhci_hcd,ehci_hcd
iTCO_wdt 22992 0
iTCO_vendor_support 13188 1 iTCO_wdt
ata_piix 31492 4
pata_acpi 17152 0
ata_generic 17412 0
libata 184496 3 ata_piix,pata_acpi,ata_generic
scsi_mod 187192 6 sg,scsi_wait_scan,usb_storage,sd_mod,sr_mod,libata
i2c_i801 19740 0
i2c_core 36352 3 eeprom,lm85,i2c_i801
shpchp 45596 0
pci_hotplug 43312 1 shpchp
isofs 47144 0
msdos 19712 0
fat 67760 1 msdos
и
:~# cat /etc/vz/vz.conf |grep IPTABLES
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT ipt_owner"
Правила iptables аналогичны тем что используются на других серверах (не vps), изменения только в том что интерфейс - venet0 вместо eth0. Соотвественно на других серверах все работает.
ve3 [/]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW multiport dports ftp-data,ftp,smtp,http,pop3,imap,https,smtps,imaps,pop3s
ACCEPT tcp -- anywhere anywhere state NEW multiport dports trellisagt,trellissvr,infowave,radsec,nbx-ser,nbx-dir
ACCEPT icmp -- anywhere anywhere icmp ttl-zero-during-reassembly state NEW
ACCEPT icmp -- anywhere anywhere icmp ttl-zero-during-transit state NEW
ACCEPT icmp -- anywhere anywhere icmp type 0 code 0 state NEW
ACCEPT icmp -- anywhere anywhere icmp type 8 code 0 state NEW
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable state NEW
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW multiport dports ntp
ACCEPT udp -- anywhere anywhere state NEW multiport dports domain
ACCEPT tcp -- anywhere anywhere state NEW multiport dports nicname,http,https,submission,rsync
ACCEPT tcp -- anywhere anywhere state NEW multiport dports ftp,ssh,eli,sep OWNER UID match root
Куда копать?
[Updated on: Tue, 17 March 2009 18:02] Report message to a moderator
|
|
|
|
|
|
|
|
|
Re: Conntrack ftp [message #35350 is a reply to message #35347] |
Wed, 18 March 2009 16:59 |
maratrus
Messages: 1495 Registered: August 2007 Location: Moscow
|
Senior Member |
|
|
Я воспроизвел вашу ситуацию (на всякий случай привел вывод команды)
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW multiport dports ftp-data,ftp,smtp,http,pop3,imap,https,smtps,imaps,pop3s
ACCEPT tcp -- anywhere anywhere state NEW multiport dports trellisagt,trellissvr,infowave,radsec,nbx-ser,nbx-dir
ACCEPT icmp -- anywhere anywhere icmp ttl-zero-during-reassembly state NEW
ACCEPT icmp -- anywhere anywhere icmp ttl-zero-during-transit state NEW
ACCEPT icmp -- anywhere anywhere icmp type 0 code 0 state NEW
ACCEPT icmp -- anywhere anywhere icmp type 8 code 0 state NEW
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable state NEW
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW multiport dports ntp
udp -- anywhere anywhere state NEW multiport dports domain
ACCEPT tcp -- anywhere anywhere state NEW multiport dports nicname,http,https,submission,rsync
ACCEPT tcp -- anywhere anywhere state NEW multiport dports ftp,ssh,eli,sep OWNER UID match root
# uname -r
2.6.24-ovz008.1
Вы не путаете, у вас действительно passive режим не работает?
У меня похожая ситуация, но не работает active режим (оно и понятно, по вашим правилам вы режете все входящие tcp соединения со статусом NEW, не все, но почти все)
Вот, смотрите:
Quote: |
# ftp SERVER
Connected to SERVER (*.*.*.*).
220 (vsFTPd 2.0.3)
Name (SERVER:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (*,*,*,*,113,109)
150 Here comes the directory listing.
drwx--x--- 2 ftp ftp 4096 Nov 11 2005 dir1
drwxrwxrwx 22 ftp ftp 4096 Mar 12 14:24 dir2
drwx------ 3 ftp ftp 4096 Mar 28 2006 dir3
drwxr-xr-x 10 ftp ftp 4096 Jan 12 2007 dir4
226 Directory send OK.
|
Quote: |
# ftp SERVER
Connected to SERVER (*.*.*.*).
220 (vsFTPd 2.0.3)
Name (SERVER:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
здесь мы висим
|
|
|
|
Goto Forum:
Current Time: Thu Oct 03 12:43:42 GMT 2024
Total time taken to generate the page: 0.06858 seconds
|