Hi Robert,
On Sat, Feb 11, 2017 at 10:13:08PM +0000, Robert White wrote:
> I think I read somewhere that the as of Kernel 4.7 the connection tracker no
> longer _automatically_ loads the helper module. So if you've built the
> connection tracking stuff as modules you'll need to manually modprobe the
> helpers you want to use.
On the actual production machine the kernel is fully statically linked
with no modules anywhere. On my Debian test box I have the module loaded
and see the connection being tracked but no expectation for the data
connection being created:
ftp> ls
227 Entering Passive Mode (134,76,12,6,119,52).
[hang]
root@debian:~# conntrack -L
tcp 6 431965 ESTABLISHED src=192.168.137.190 dst=134.76.12.6 sport=36770 dport=21 src=134.76.12.6 dst=192.168.137.190 sport=21 dport=36770 [ASSURED] mark=0 use=1
root@debian:~# conntrack -L expect
conntrack v1.4.4 (conntrack-tools): 0 expectations have been shown.
root@debian:~# dmesg | grep $((119*256 + 52))
[ 215.963217] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31844 DF PROTO=TCP SPT=54334 DPT=30516 WINDOW=29200 RES=0x00 SYN URGP=0
Full log:
root@debian:~# uname -a
Linux debian 4.9.0-1-amd64 #1 SMP Debian 4.9.6-3 (2017-01-28) x86_64 GNU/Linux
root@debian:~# uptime # freshly rebooted
11:20:30 up 5 min, 3 users, load average: 0.00, 0.02, 0.00
root@debian:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@debian:~# lsmod | grep ipt
iptable_filter 16384 0
ip_tables 24576 1 iptable_filter
x_tables 36864 2 ip_tables,iptable_filter
root@debian:~# modprobe ip_conntrack_ftp
root@debian:~# lsmod | grep ip_
ip_tables 24576 1 iptable_filter
x_tables 36864 2 ip_tables,iptable_filter
root@debian:~# lsmod | grep conntr
nf_conntrack_ftp 20480 0
nf_conntrack 114688 1 nf_conntrack_ftp
root@debian:~# cat b
# Generated by iptables-save v1.6.0 on Sun Feb 12 11:17:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [7:532]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -j LOG
COMMIT
# Completed on Sun Feb 12 11:17:04 2017
root@debian:~# iptables-restore b
root@debian:~# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
michael@debian:~$ ftp ftp.gwdg.de
Connected to ftp6.gwdg.de.
220 Welcome to ftp.gwdg.de
Name (ftp.gwdg.de:michael): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (134,76,12,6,119,52).
[hang]
root@debian:~# conntrack -L
tcp 6 431965 ESTABLISHED src=192.168.137.190 dst=134.76.12.6 sport=36770 dport=21 src=134.76.12.6 dst=192.168.137.190 sport=21 dport=36770 [ASSURED] mark=0 use=1
root@debian:~# conntrack -L expect
conntrack v1.4.4 (conntrack-tools): 0 expectations have been shown.
root@debian:~# dmesg | grep $((119*256 + 52))
[ 215.963217] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31844 DF PROTO=TCP SPT=54334 DPT=30516 WINDOW=29200 RES=0x00 SYN URGP=0
[ 216.981438] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31845 DF PROTO=TCP SPT=54334 DPT=30516 WINDOW=29200 RES=0x00 SYN URGP=0
[ 218.996037] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31846 DF PROTO=TCP SPT=54334 DPT=30516 WINDOW=29200 RES=0x00 SYN URGP=0
[ 223.124663] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31847 DF PROTO=TCP SPT=54334 DPT=30516 WINDOW=29200 RES=0x00 SYN URGP=0
[ 231.315490] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31848 DF PROTO=TCP SPT=54334 DPT=30516 WINDOW=29200 RES=0x00 SYN URGP=0
[ 247.440650] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31849 DF PROTO=TCP SPT=54334 DPT=30516 WINDOW=29200 RES=0x00 SYN URGP=0
[ 281.228684] IN= OUT=eth0 SRC=192.168.137.190 DST=134.76.12.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31850 DF PROTO=TCP SPT=54334 DPT=30516 WINDOW=29200 RES=0x00 SYN URGP=0
--
Thanks,
Michael
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
