Re: ip_conntrack_ftp problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le ven 28/03/2003 à 13:17, Jozsef Kadlecsik a écrit :
> On 28 Mar 2003, Cedric Blancher wrote:
> > A RELATED packet is similar to a NEW one, except that conntrack was
> > waiting for him.
> No, that's not true. Every packet handled by the helpers are RELATED.

I may be wrong, but that's not what my experience says :

root@xxxxxxx:~# iptables --version
iptables v1.2.7a
root@xxxxxxx:~# iptables -F INPUT
root@xxxxxxx:~# iptables -A INPUT -m helper --helper ftp -m state --state RELATED -j LOG --log-prefix 'RELATED_FTP '
root@xxxxxxx:~# iptables -A INPUT -m helper --helper ftp -m state --state ESTABLISHED -j LOG --log-prefix 'ESTABLISHED_FTP '
root@xxxxxxx:~# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           helper match "ftp" state RELATED LOG level warning prefix `RELATED_FTP '
LOG        all  --  anywhere             anywhere           helper match "ftp" state ESTABLISHED LOG level warning prefix `ESTABLISHED_FTP '

Then I open a FTP connection, grabbing a file list via ls using active
FTP so I can see RELATED ftp-data opening :

root@xxxxxxx:~# tail -f /var/log/messages
[...]
Mar 28 13:38:50 elendil kernel: RELATED_FTP IN=eth0 OUT= MAC=xx SRC=192.168.1.4 DST=192.168.1.3 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2955 DF PROTO=TCP SPT=20 DPT=34777 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 13:38:50 elendil kernel: ESTABLISHED_FTP IN=eth0 OUT= MAC=xx SRC=192.168.1.4 DST=192.168.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2956 DF PROTO=TCP SPT=20 DPT=34777 WINDOW=5840 RES=0x00 ACK URGP=0
Mar 28 13:38:50 elendil kernel: ESTABLISHED_FTP IN=eth0 OUT= MAC=xx SRC=192.168.1.4 DST=192.168.1.3 LEN=116 TOS=0x00 PREC=0x00 TTL=64 ID=2957 DF PROTO=TCP SPT=20 DPT=34777 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Mar 28 13:38:50 elendil kernel: ESTABLISHED_FTP IN=eth0 OUT= MAC=xx SRC=192.168.1.4 DST=192.168.1.3 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=2958 DF PROTO=TCP SPT=20 DPT=34777 WINDOW=5840 RES=0x00 ACK URGP=0
Mar 28 13:38:50 elendil kernel: ESTABLISHED_FTP IN=eth0 OUT= MAC=xx SRC=192.168.1.4 DST=192.168.1.3 LEN=569 TOS=0x00 PREC=0x00 TTL=64 ID=2959 DF PROTO=TCP SPT=20 DPT=34777 WINDOW=5840 RES=0x00 ACK PSH FIN URGP=0
Mar 28 13:38:50 elendil kernel: ESTABLISHED_FTP IN=eth0 OUT= MAC=xx SRC=192.168.1.4 DST=192.168.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2960 DF PROTO=TCP SPT=20 DPT=34777 WINDOW=5840 RES=0x00 ACK URGP=0
[...]

(stripped MAC stuff for convenience)

I can see RELATED packet from server:20 to my station:34770 (first
line). Following packets (line 2, 4, 5 and 6) for this connection are
ESTABLISHED. So, the way I understand this behaviour, is that a RELATED
packet is like a NEW one, but has an expectation on which it will be
matched.


I built iptables with POM from CVS.

-- 
Cédric Blancher  <blancher@xxxxxxxxxxxxxxxxxx>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux