OpenVZ Forum: Support » IP Conntrack FTP in VE

Home » General » Support » IP Conntrack FTP in VE (Debian Lenny)

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: IP Conntrack FTP in VE [message #39166 is a reply to message #37609]

Sun, 21 March 2010 11:50

ilass
Messages: 3
Registered: March 2010
Location: Ukraine, Kiev

Junior Member

Confirm.

Using kernel-PAE-2.6.27-kiprensky.1.i686.rpm from official page,
using my distro supplied kernel, my own build using patch-kiprensky.1-combined.gz, i get same result as described. I also tried this on different HW (all x86 platform).

Some info about my system(s)/configs:

Hardware node

# uname -m
i686

# uname -r
2.6.27-kiprensky.1-PAE

# lsmod |egrep '(conn|state)'
xt_state                5896  4 
nf_conntrack_ipv4      14104  8 iptable_nat,nf_nat
x_tables               15756  8 ipt_ttl,ipt_REJECT,xt_tcpudp,xt_state,xt_hashlimit,iptable_nat,ip_tables,xt_multiport
nf_conntrack_ftp       11060  0
nf_conntrack           60820  5 xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ftp

# egrep 'IPTABLES' /etc/vz/conf/1003.conf 
IPTABLES="ip_tables iptable_filter iptable_nat iptable_mangle ip_conntrack ip_conntrack_ftp ipt_state ipt_multiport ipt_helper"

On hardware node no iptables rules configured in FORWARD chain and tables 'raw', 'mangle', 'nat'.
Please look at module refcount: it 0, but VE started. On 2.6.18 (production) everything is ok and refcount ~ 18. Is this normal?

VE

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 21,80,873 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m hashlimit 
--hashlimit-upto 30/sec --hashlimit-mode dstip --hashlimit-name echo_request -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 
-j ACCEPT

# cat /proc/net/ip_tables_matches 
ttl
udplite
udp
tcp
state
hashlimit
hashlimit
icmp
multiport
multiport

# cat /proc/net/ip_tables_names 
mangle
filter

Using same rules on HN i get with working ftp in passive/active (production rules mostly identical), also using

# iptables -A FORWARD -m helper --helper ftp -j ACCEPT

on HN, and then connecting to ftp, i see packet count increment for this rule: so nf_conntrack_ftp matches packets. Tcpdump on venet0 also confirms this.
I also try to establish connection from VE to ftp and get same result. Modes tried: passive, active.

Report message to a moderator

[Message index]

		IP Conntrack FTP in VE By: ulver on Wed, 30 September 2009 15:49
		Re: IP Conntrack FTP in VE By: Erdbeergulasch on Tue, 16 March 2010 21:29
		Re: IP Conntrack FTP in VE By: curx on Wed, 17 March 2010 18:37
		Re: IP Conntrack FTP in VE By: Erdbeergulasch on Thu, 18 March 2010 00:44
		Re: IP Conntrack FTP in VE By: curx on Thu, 18 March 2010 08:19
		Re: IP Conntrack FTP in VE By: ilass on Sun, 21 March 2010 11:50
		Re: IP Conntrack FTP in VE By: ilass on Tue, 13 April 2010 11:38
		Re: IP Conntrack FTP in VE By: ichilton on Tue, 13 April 2010 11:45
		Re: IP Conntrack FTP in VE By: ilass on Tue, 13 April 2010 12:34
		Re: IP Conntrack FTP in VE By: ichilton on Fri, 09 April 2010 14:25

Previous Topic:	sniffing with tcpdump
Next Topic:	ip_conntrack_ftp Not Working in Container

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Tue Sep 23 13:05:20 GMT 2025

Total time taken to generate the page: 0.06890 seconds