OpenVZ Forum


Home » International » Russian » Conntrack ftp
Conntrack ftp [message #35325] Tue, 17 March 2009 18:00 Go to next message
xido is currently offline  xido
Messages: 8
Registered: November 2007
Junior Member

From: 217.174.104*
Не работает пассивный режим, такое чувство что модуль ip_conntrack_ftp не работает внутри VE.

На HN:

~# lsmod
Module                  Size  Used by
ipt_REJECT             13952  1 
ipt_owner              10880  3 
kvm_intel              57960  0 
kvm                   191752  1 kvm_intel
vzethdev               23808  0 
vznetdev               32776  10 
simfs                  14320  5 
vzrst                 155688  0 
vzcpt                 129976  0 
tun                    23168  2 vzrst,vzcpt
vzdquota               58864  5 [permanent]
vzmon                  58520  9 vzethdev,vznetdev,vzrst,vzcpt
vzdev                  13064  6 vzethdev,vznetdev,vzdquota,vzmon
ipt_REDIRECT           11008  0 
nf_nat_irc             11648  0 
nf_conntrack_irc       16544  1 nf_nat_irc
nf_nat_ftp             12544  0 
iptable_nat            19716  2 
nf_nat                 31376  4 ipt_REDIRECT,nf_nat_irc,nf_nat_ftp,iptable_nat
xt_helper              11648  0 
xt_state               11392  26 
nf_conntrack_ftp       19240  1 nf_nat_ftp
nf_conntrack_ipv4      36880  30 iptable_nat
nf_conntrack          101600  9 nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,iptable_nat,nf_nat,xt_helper,xt_state,nf_conntrack_ftp,nf_conntrack_ipv4
xt_length              10752  0 
ipt_LOG                15872  0 
ipt_ttl                10752  0 
xt_tcpmss              11264  0 
ipt_TOS                11136  0 
ipt_tos                10496  0 
xt_multiport           12288  12 
xt_limit               12032  0 
iptable_mangle         13824  5 
iptable_filter         13696  7 
ip_tables              33256  3 iptable_nat,iptable_mangle,iptable_filter
ipv6                  342016  81 vzrst,vzcpt,vzmon
bridge                 73128  0 
raid1                  34944  1 
md_mod                 96924  2 raid1
dm_snapshot            28256  0 
dm_mirror              34432  0 
xt_tcpudp              12288  37 
x_tables               33672  16 ipt_REJECT,ipt_owner,ipt_REDIRECT,iptable_nat,xt_helper,xt_state,xt_length,ipt_LOG,ipt_ttl,xt_tcpmss,ipt_TOS,ipt_tos,xt_multiport,xt_limit,ip_tables,xt_tcpudp
eeprom                 17296  0 
lm85                   43684  0 
hwmon_vid              12416  1 lm85
thermal                27168  0 
e1000                 176068  0 
psmouse                53788  0 
button                 18336  0 
ipmi_msghandler        51704  0 
processor              49768  1 thermal
e1000e                139948  0 
serio_raw              16516  0 
evdev                  22912  0 
pcspkr                 12288  0 
sg                     49432  0 
floppy                 76904  0 
scsi_wait_scan         10112  0 
dm_mod                 79736  9 dm_snapshot,dm_mirror
usbhid                 43616  0 
hid                    52544  1 usbhid
usb_storage            90304  0 
libusual               31072  1 usb_storage
sd_mod                 40448  7 
sr_mod                 27684  0 
ide_disk               26496  0 
ide_generic             9856  0 [permanent]
ide_cd                 43040  0 
cdrom                  48936  2 sr_mod,ide_cd
ide_core              144152  3 ide_disk,ide_generic,ide_cd
uhci_hcd               37408  0 
ehci_hcd               48908  0 
usbcore               178608  6 usbhid,usb_storage,libusual,uhci_hcd,ehci_hcd
iTCO_wdt               22992  0 
iTCO_vendor_support    13188  1 iTCO_wdt
ata_piix               31492  4 
pata_acpi              17152  0 
ata_generic            17412  0 
libata                184496  3 ata_piix,pata_acpi,ata_generic
scsi_mod              187192  6 sg,scsi_wait_scan,usb_storage,sd_mod,sr_mod,libata
i2c_i801               19740  0 
i2c_core               36352  3 eeprom,lm85,i2c_i801
shpchp                 45596  0 
pci_hotplug            43312  1 shpchp
isofs                  47144  0 
msdos                  19712  0 
fat                    67760  1 msdos

и
:~# cat /etc/vz/vz.conf |grep IPTABLES

IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT ipt_owner"




Правила iptables аналогичны тем что используются на других серверах (не vps), изменения только в том что интерфейс - venet0 вместо eth0. Соотвественно на других серверах Wink все работает.

ve3 [/]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination  
DROP       icmp --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW multiport dports ftp-data,ftp,smtp,http,pop3,imap,https,smtps,imaps,pop3s 
ACCEPT     tcp  --  anywhere             anywhere            state NEW multiport dports trellisagt,trellissvr,infowave,radsec,nbx-ser,nbx-dir 
ACCEPT     icmp --  anywhere             anywhere            icmp ttl-zero-during-reassembly state NEW 
ACCEPT     icmp --  anywhere             anywhere            icmp ttl-zero-during-transit state NEW 
ACCEPT     icmp --  anywhere             anywhere            icmp type 0 code 0 state NEW 
ACCEPT     icmp --  anywhere             anywhere            icmp type 8 code 0 state NEW 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable state NEW 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       icmp --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state NEW multiport dports ntp 
ACCEPT     udp  --  anywhere             anywhere            state NEW multiport dports domain 
ACCEPT     tcp  --  anywhere             anywhere            state NEW multiport dports nicname,http,https,submission,rsync 
ACCEPT     tcp  --  anywhere             anywhere            state NEW multiport dports ftp,ssh,eli,sep OWNER UID match root 



Куда копать?

[Updated on: Tue, 17 March 2009 18:02]

Report message to a moderator

Re: Conntrack ftp [message #35335 is a reply to message #35325] Wed, 18 March 2009 09:56 Go to previous messageGo to next message
maratrus is currently offline  maratrus
Messages: 1495
Registered: August 2007
Location: Moscow
Senior Member
From: *sw.ru
Здравствуйте,

у вас ip_conntrack_ftp на HN не загружен.
Re: Conntrack ftp [message #35340 is a reply to message #35335] Wed, 18 March 2009 12:25 Go to previous messageGo to next message
xido is currently offline  xido
Messages: 8
Registered: November 2007
Junior Member

From: 217.174.104*
После modprobe ip_conntrack_ftp
в списке модулей появляется nf_conntrack_ftp, которого до этого не было.

Так что он все таки загружен.
Re: Conntrack ftp [message #35341 is a reply to message #35340] Wed, 18 March 2009 12:30 Go to previous messageGo to next message
maratrus is currently offline  maratrus
Messages: 1495
Registered: August 2007
Location: Moscow
Senior Member
From: *sw.ru
Какое ядро?
Re: Conntrack ftp [message #35342 is a reply to message #35341] Wed, 18 March 2009 12:33 Go to previous messageGo to next message
xido is currently offline  xido
Messages: 8
Registered: November 2007
Junior Member

From: 217.174.104*
Linux vps1 2.6.24-2-pve #1 SMP PREEMPT Wed Jan 14 11:32:49 CET 2009 x86_64 GNU/Linux
Re: Conntrack ftp [message #35343 is a reply to message #35341] Wed, 18 March 2009 12:34 Go to previous messageGo to next message
maratrus is currently offline  maratrus
Messages: 1495
Registered: August 2007
Location: Moscow
Senior Member
From: *sw.ru
И еще пожалуйста tescase, что ожидалось, а что реально получилось.
Re: Conntrack ftp [message #35347 is a reply to message #35343] Wed, 18 March 2009 13:50 Go to previous messageGo to next message
xido is currently offline  xido
Messages: 8
Registered: November 2007
Junior Member

From: 217.174.104*
Все фтп клиенты "засыпают" после входа в PASV, на ожидании ответа от команды LIST.


Проверялось на 2х разных машинах в разных городах, из под WIndows и Linux.
Re: Conntrack ftp [message #35350 is a reply to message #35347] Wed, 18 March 2009 16:59 Go to previous message
maratrus is currently offline  maratrus
Messages: 1495
Registered: August 2007
Location: Moscow
Senior Member
From: *sw.ru
Я воспроизвел вашу ситуацию (на всякий случай привел вывод команды)
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW multiport dports ftp-data,ftp,smtp,http,pop3,imap,https,smtps,imaps,pop3s
ACCEPT     tcp  --  anywhere             anywhere            state NEW multiport dports trellisagt,trellissvr,infowave,radsec,nbx-ser,nbx-dir
ACCEPT     icmp --  anywhere             anywhere            icmp ttl-zero-during-reassembly state NEW
ACCEPT     icmp --  anywhere             anywhere            icmp ttl-zero-during-transit state NEW
ACCEPT     icmp --  anywhere             anywhere            icmp type 0 code 0 state NEW
ACCEPT     icmp --  anywhere             anywhere            icmp type 8 code 0 state NEW
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       icmp --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state NEW multiport dports ntp
           udp  --  anywhere             anywhere            state NEW multiport dports domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW multiport dports nicname,http,https,submission,rsync
ACCEPT     tcp  --  anywhere             anywhere            state NEW multiport dports ftp,ssh,eli,sep OWNER UID match root



# uname -r
2.6.24-ovz008.1


Вы не путаете, у вас действительно passive режим не работает?
У меня похожая ситуация, но не работает active режим (оно и понятно, по вашим правилам вы режете все входящие tcp соединения со статусом NEW, не все, но почти все)

Вот, смотрите:
Quote:


# ftp SERVER
Connected to SERVER (*.*.*.*).
220 (vsFTPd 2.0.3)
Name (SERVER:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (*,*,*,*,113,109)
150 Here comes the directory listing.
drwx--x--- 2 ftp ftp 4096 Nov 11 2005 dir1
drwxrwxrwx 22 ftp ftp 4096 Mar 12 14:24 dir2
drwx------ 3 ftp ftp 4096 Mar 28 2006 dir3
drwxr-xr-x 10 ftp ftp 4096 Jan 12 2007 dir4
226 Directory send OK.



Quote:


# ftp SERVER
Connected to SERVER (*.*.*.*).
220 (vsFTPd 2.0.3)
Name (SERVER:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
здесь мы висим

Previous Topic: Samba in VE
Next Topic: dm-ioband
Goto Forum:
  


Current Time: Sun Jul 22 12:18:51 GMT 2018