Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add ip_nat_ftp and ip_conntrack_ftp to IPTABLES_MODULES. Delimiter is a space. For example: IPTABLES_MODULES=ip_nat_ftp ip_conntrack_ftp
To load changes, use: # /etc/rc.d/init.d/iptables restart # systemctl restart iptables
To check if modules are loaded, use lsmod
1) is Fedora doing FTP differently in iptables?
2) where do I find ip_nat_ftp ip_conntrack_ftp now a days?
Many thanks, -T
On 08/22/2018 03:47 PM, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add ip_nat_ftp and ip_conntrack_ftp to IPTABLES_MODULES. Delimiter is a space. For example: IPTABLES_MODULES=ip_nat_ftp ip_conntrack_ftp
To load changes, use: # /etc/rc.d/init.d/iptables restart # systemctl restart iptables
To check if modules are loaded, use lsmod
- is Fedora doing FTP differently in iptables?
No, but Fedora, by defaults, locks down the network a lot more than older RHEL systems. If you're using Network Manager, you can use it to open the FTP ports necessary on your machine. Or you can edit the /etc/sysconfig/iptables-config file and add those modules
- where do I find
ip_nat_ftp ip_conntrack_ftp> now a days?
They're included in the kernel RPM. If you must know, they're located in:
/lib/modules/`uname -r`/kernel/net/netfilter ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - You know the old saying--any technology sufficiently advanced is - - indistinguishable from a Perl script - - --Programming Perl, 2nd Edition - ----------------------------------------------------------------------
On 08/22/2018 03:59 PM, Rick Stevens wrote:
On 08/22/2018 03:47 PM, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add ip_nat_ftp and ip_conntrack_ftp to IPTABLES_MODULES. Delimiter is a space. For example: IPTABLES_MODULES=ip_nat_ftp ip_conntrack_ftp
To load changes, use: # /etc/rc.d/init.d/iptables restart # systemctl restart iptables
To check if modules are loaded, use lsmod
- is Fedora doing FTP differently in iptables?
No, but Fedora, by defaults, locks down the network a lot more than older RHEL systems. If you're using Network Manager, you can use it to open the FTP ports necessary on your machine. Or you can edit the /etc/sysconfig/iptables-config file and add those modules
- where do I find
ip_nat_ftp ip_conntrack_ftp> now a days?
They're included in the kernel RPM. If you must know, they're located in:
/lib/modules/`uname -r`/kernel/net/netfilter
I am finding these inserted:
# lsmod | grep ftp nf_nat_ftp 16384 0 nf_conntrack_ftp 20480 1 nf_nat_ftp nf_nat 36864 3 nf_nat_masquerade_ipv4,nf_nat_ftp,nf_nat_ipv4 nf_conntrack 147456 9 xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat,nf_nat_ftp,ipt_MASQUERADE,nf_nat_ipv4,xt_helper,nf_conntrack_ftp
Is this adequate?
So I do not have to dnf the filters. Simpler.
# ls /lib/modules/`uname -r`/kernel/net/netfilter | grep -i ftp nf_conntrack_ftp.ko.xz nf_conntrack_tftp.ko.xz nf_nat_ftp.ko.xz nf_nat_tftp.ko.xz
And the ones I use to use (ip_nat_ftp, ip_conntrack_ftp) are not showing up. Does Fedora even require these any more?
Here is the error I am getting from iptables:
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2 SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
Which means ftp it trying to establish high ports, which is what it is suppose to do. The problem is that I am not tracking them, as I should. "ip_conntrack_ftp" use to do this.
What am I missing?
-T
On 08/23/18 06:47, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add ip_nat_ftp and ip_conntrack_ftp to IPTABLES_MODULES. Delimiter is a space. For example: IPTABLES_MODULES=ip_nat_ftp ip_conntrack_ftp
To load changes, use: # /etc/rc.d/init.d/iptables restart # systemctl restart iptables
To check if modules are loaded, use lsmod
is Fedora doing FTP differently in iptables?
where do I find
ip_nat_ftp ip_conntrack_ftp now a days?
I can't locate my notes at the moment. But I believe the way things are done in the netfilter framework has changed.
If memory servers me the nf_conntrack_ipv4 will load, as needed, the necessary "helper". I use the standard firewall and these modules are loaded.
xt_conntrack 16384 21 nf_conntrack_ipv6 16384 12 nf_defrag_ipv6 20480 1 nf_conntrack_ipv6 nf_conntrack_ipv4 16384 11 nf_defrag_ipv4 16384 1 nf_conntrack_ipv4 nf_conntrack 147456 6 xt_conntrack,nf_conntrack_ipv6,nf_conntrack_ipv4,nf_nat,nf_nat_ipv6,nf_nat_ipv4 libcrc32c 16384 2 nf_conntrack,nf_nat
and ftp works fine.
ip_nat_ftp does not exist on my system. But I do have nf_conntrack_ftp.
On 08/22/2018 04:37 PM, Ed Greshko wrote:
On 08/23/18 06:47, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add ip_nat_ftp and ip_conntrack_ftp to IPTABLES_MODULES. Delimiter is a space. For example: IPTABLES_MODULES=ip_nat_ftp ip_conntrack_ftp
To load changes, use: # /etc/rc.d/init.d/iptables restart # systemctl restart iptables
To check if modules are loaded, use lsmod
is Fedora doing FTP differently in iptables?
where do I find
ip_nat_ftp ip_conntrack_ftp now a days?
I can't locate my notes at the moment. But I believe the way things are done in the netfilter framework has changed.
If memory servers me the nf_conntrack_ipv4 will load, as needed, the necessary "helper". I use the standard firewall and these modules are loaded.
xt_conntrack 16384 21 nf_conntrack_ipv6 16384 12 nf_defrag_ipv6 20480 1 nf_conntrack_ipv6 nf_conntrack_ipv4 16384 11 nf_defrag_ipv4 16384 1 nf_conntrack_ipv4 nf_conntrack 147456 6 xt_conntrack,nf_conntrack_ipv6,nf_conntrack_ipv4,nf_nat,nf_nat_ipv6,nf_nat_ipv4 libcrc32c 16384 2 nf_conntrack,nf_nat
and ftp works fine.
ip_nat_ftp does not exist on my system. But I do have nf_conntrack_ftp.
I see nf_conntrack_ftp inserted
# lsmod | grep nf_conntrack_ftp nf_conntrack_ftp 20480 1 nf_nat_ftp nf_conntrack 147456 9 xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat,nf_nat_ftp,ipt_MASQUERADE,nf_nat_ipv4,xt_helper,nf_conntrack_ftp
But it is not following the high ports that ftp uses:
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2 SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
On 08/22/2018 06:00 PM, ToddAndMargo wrote:
On 08/22/2018 04:37 PM, Ed Greshko wrote:
On 08/23/18 06:47, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add ip_nat_ftp and ip_conntrack_ftp to IPTABLES_MODULES. Delimiter is a space. For example: IPTABLES_MODULES=ip_nat_ftp ip_conntrack_ftp
To load changes, use: # /etc/rc.d/init.d/iptables restart # systemctl restart iptables
To check if modules are loaded, use lsmod
is Fedora doing FTP differently in iptables?
where do I find
ip_nat_ftp ip_conntrack_ftp now a days?
I can't locate my notes at the moment. But I believe the way things are done in the netfilter framework has changed.
If memory servers me the nf_conntrack_ipv4 will load, as needed, the necessary "helper". I use the standard firewall and these modules are loaded.
xt_conntrack 16384 21 nf_conntrack_ipv6 16384 12 nf_defrag_ipv6 20480 1 nf_conntrack_ipv6 nf_conntrack_ipv4 16384 11 nf_defrag_ipv4 16384 1 nf_conntrack_ipv4 nf_conntrack 147456 6 xt_conntrack,nf_conntrack_ipv6,nf_conntrack_ipv4,nf_nat,nf_nat_ipv6,nf_nat_ipv4
libcrc32c 16384 2 nf_conntrack,nf_nat
and ftp works fine.
ip_nat_ftp does not exist on my system. But I do have nf_conntrack_ftp.
I see nf_conntrack_ftp inserted
# lsmod | grep nf_conntrack_ftp nf_conntrack_ftp 20480 1 nf_nat_ftp nf_conntrack 147456 9 xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat,nf_nat_ftp,ipt_MASQUERADE,nf_nat_ipv4,xt_helper,nf_conntrack_ftp
But it is not following the high ports that ftp uses:
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2 SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
Perhaps I missed this, but are you trying to set up an FTP _server_ on your machine or using it as an FTP client? The firewall rules for an FTP server would be significantly different--especially if you wish to provide both passive and normal FTP operations. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - Which is worse: ignorance or apathy? I don't know. Who cares? - ----------------------------------------------------------------------
On 08/23/2018 11:10 AM, Rick Stevens wrote:
On 08/22/2018 06:00 PM, ToddAndMargo wrote:
On 08/22/2018 04:37 PM, Ed Greshko wrote:
On 08/23/18 06:47, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add ip_nat_ftp and ip_conntrack_ftp to IPTABLES_MODULES. Delimiter is a space. For example: IPTABLES_MODULES=ip_nat_ftp ip_conntrack_ftp
To load changes, use: # /etc/rc.d/init.d/iptables restart # systemctl restart iptables
To check if modules are loaded, use lsmod
is Fedora doing FTP differently in iptables?
where do I find
ip_nat_ftp ip_conntrack_ftp now a days?
I can't locate my notes at the moment. But I believe the way things are done in the netfilter framework has changed.
If memory servers me the nf_conntrack_ipv4 will load, as needed, the necessary "helper". I use the standard firewall and these modules are loaded.
xt_conntrack 16384 21 nf_conntrack_ipv6 16384 12 nf_defrag_ipv6 20480 1 nf_conntrack_ipv6 nf_conntrack_ipv4 16384 11 nf_defrag_ipv4 16384 1 nf_conntrack_ipv4 nf_conntrack 147456 6 xt_conntrack,nf_conntrack_ipv6,nf_conntrack_ipv4,nf_nat,nf_nat_ipv6,nf_nat_ipv4
libcrc32c 16384 2 nf_conntrack,nf_nat
and ftp works fine.
ip_nat_ftp does not exist on my system. But I do have nf_conntrack_ftp.
I see nf_conntrack_ftp inserted
# lsmod | grep nf_conntrack_ftp nf_conntrack_ftp 20480 1 nf_nat_ftp nf_conntrack 147456 9 xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat,nf_nat_ftp,ipt_MASQUERADE,nf_nat_ipv4,xt_helper,nf_conntrack_ftp
But it is not following the high ports that ftp uses:
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2 SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
Perhaps I missed this, but are you trying to set up an FTP _server_ on your machine or using it as an FTP client? The firewall rules for an FTP server would be significantly different--especially if you wish to provide both passive and normal FTP operations.
Just ftp client and I want to support both active and passive mode
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
On 08/23/2018 11:10 AM, Rick Stevens wrote:
On 08/22/2018 06:00 PM, ToddAndMargo wrote:
On 08/22/2018 04:37 PM, Ed Greshko wrote:
On 08/23/18 06:47, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add ip_nat_ftp and ip_conntrack_ftp to IPTABLES_MODULES. Delimiter is a space. For example: IPTABLES_MODULES=ip_nat_ftp ip_conntrack_ftp
To load changes, use: # /etc/rc.d/init.d/iptables restart # systemctl restart iptables
To check if modules are loaded, use lsmod
is Fedora doing FTP differently in iptables?
where do I find
ip_nat_ftp ip_conntrack_ftp now a days?
I can't locate my notes at the moment. But I believe the way things are done in the netfilter framework has changed.
If memory servers me the nf_conntrack_ipv4 will load, as needed, the necessary "helper". I use the standard firewall and these modules are loaded.
xt_conntrack 16384 21 nf_conntrack_ipv6 16384 12 nf_defrag_ipv6 20480 1 nf_conntrack_ipv6 nf_conntrack_ipv4 16384 11 nf_defrag_ipv4 16384 1 nf_conntrack_ipv4 nf_conntrack 147456 6 xt_conntrack,nf_conntrack_ipv6,nf_conntrack_ipv4,nf_nat,nf_nat_ipv6,nf_nat_ipv4
libcrc32c 16384 2 nf_conntrack,nf_nat
and ftp works fine.
ip_nat_ftp does not exist on my system. But I do have nf_conntrack_ftp.
I see nf_conntrack_ftp inserted
# lsmod | grep nf_conntrack_ftp nf_conntrack_ftp 20480 1 nf_nat_ftp nf_conntrack 147456 9 xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat,nf_nat_ftp,ipt_MASQUERADE,nf_nat_ipv4,xt_helper,nf_conntrack_ftp
But it is not following the high ports that ftp uses:
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2 SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
Perhaps I missed this, but are you trying to set up an FTP _server_ on your machine or using it as an FTP client? The firewall rules for an FTP server would be significantly different--especially if you wish to provide both passive and normal FTP operations.
Just ftp client and I want to support both active and passive mode
The advice given here:
https://serverfault.com/questions/203546/client-side-iptables-rule-to-allow-... might be relevant.
:m
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
:m
On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
:m
Hi Mike,
That is a description of what is happening.
I am looking for Fedora specific iptables instructions.
-T
On 08/23/2018 11:50 AM, ToddAndMargo wrote:
On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
:m
Hi Mike,
That is a description of what is happening.
I am looking for Fedora specific iptables instructions.
iptables rules are processed by the kernel. They are distribution agnostic.
:m
On 08/23/2018 12:14 PM, Mike Wright wrote:
On 08/23/2018 11:50 AM, ToddAndMargo wrote:
On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
:m
Hi Mike,
That is a description of what is happening.
I am looking for Fedora specific iptables instructions.
iptables rules are processed by the kernel. They are distribution agnostic.
:m
Yippee!!
I still the directions. What worked on RHEL, does not work on Fedora, so what am I doing wrong?
On 08/23/2018 09:06 PM, Todd Chester wrote:
On 08/23/2018 12:14 PM, Mike Wright wrote:
On 08/23/2018 11:50 AM, ToddAndMargo wrote:
On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
:m
Hi Mike,
That is a description of what is happening.
I am looking for Fedora specific iptables instructions.
iptables rules are processed by the kernel. They are distribution agnostic.
:m
Yippee!!
I still the directions. What worked on RHEL, does not work on Fedora, so what am I doing wrong?
My *hunch* is that you are running firewalld and that the default rules for firewalld changed between RHEL and fedora. Mind you, beneath firewalld lies, you guessed it, iptables.
Execute:
firewall-cmd --state echo $?
If the result is 0 you are running firewalld. Anything else, you're dealing directly with iptables. Regardless, you can always manually insert and delete rules using /sbin/iptables.
The iptables rules in the link that I referred to above can be inserted into the kernel by taking each of the rules, in order, and preceding them with /sbin/iptables (iptables being the name of the program that parses the rules and inserts/deletes/etc them).
e.g. /sbin/iptables -A INPUT -p tcp ...
But before you do that - iptables processes rules in the order they are listed. To prevent time wasting by adding (that's what the -A does) your rules to the end of the list where you may have already been blocked use "-I 1" which will insert your rule(s) before any other rules in the chains (groups of rules such as INPUT, OUTPUT, PREROUTING, etc).
If you are running firewalld and inserting those rules allows FTP to work ask again on the list for help with firewalld.
Best, :m
On 08/24/2018 09:23 AM, Mike Wright wrote:
My *hunch* is that you are running firewalld and that the default rules for firewalld changed between RHEL and fedora. Mind you, beneath firewalld lies, you guessed it, iptables.
Execute:
firewall-cmd --state echo $?
$ firewall-cmd --state; echo $? not running 252
Without ip_conntrack_ftp or its replacement, it is neve going to work
On 08/24/2018 02:18 PM, ToddAndMargo wrote:
On 08/24/2018 09:23 AM, Mike Wright wrote:
My *hunch* is that you are running firewalld and that the default rules for firewalld changed between RHEL and fedora. Mind you, beneath firewalld lies, you guessed it, iptables.
Execute:
firewall-cmd --state echo $?
$ firewall-cmd --state; echo $? not running 252
I have to agree with Rick Stevens, "I can't imagine why Fedora would block FTP". I've never seen a desktop/laptop use the OUTPUT chain. Servers, yes.
Even though it seems unlikely that you are "boxed in" let's take a look at just what rules, if any, you have.
sudo iptables-save > iptables.rules
If iptables.rules is empty you are not running any type of firewall, in which case that cannot be the source of your connection problem. If there is content let's see it.
Note: I doubt that it's a firewall problem.
:m
On 08/24/2018 02:32 PM, Mike Wright wrote:
sudo iptables-save > iptables.rules
# iptables --list | wc -l 244
Here is a hint:
# ls /lib/modules/`uname -r`/kernel/net/netfilter | grep ftp nf_conntrack_ftp.ko.xz nf_conntrack_tftp.ko.xz nf_nat_ftp.ko.xz nf_nat_tftp.ko.xz
# insmod nf_conntrack_ftp insmod: ERROR: could not load module nf_conntrack_ftp: No such file or directory
badwordbadwordbadword
On 08/24/2018 03:23 PM, ToddAndMargo wrote:
# insmod nf_conntrack_ftp insmod: ERROR: could not load module nf_conntrack_ftp: No such file or directory
That's because you didn't specify an actual file. Try passing the entire path to the module.
But the proper way is to use "modprobe nf_conntrack_ftp".
However, as several people have mentioned, there should not be any restrictions on using an ftp client. At the start of this thread, it would have been good if you had described the actual problem you are trying to solve. Please do that.
On 08/24/2018 03:40 PM, Samuel Sieb wrote:
On 08/24/2018 03:23 PM, ToddAndMargo wrote:
# insmod nf_conntrack_ftp insmod: ERROR: could not load module nf_conntrack_ftp: No such file or directory
That's because you didn't specify an actual file. Try passing the entire path to the module.
But the proper way is to use "modprobe nf_conntrack_ftp".
However, as several people have mentioned, there should not be any restrictions on using an ftp client. At the start of this thread, it would have been good if you had described the actual problem you are trying to solve. Please do that.
I just figured out I should be using modprobe and not insmod. I have iptables-config set to
IPTABLES_MODULES=nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp nf_nat_tftp
I will reboot and try again.
The actual problem is
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2 SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
Which is iptables not tracking the high ports ftp uses. And that has not changed since I posted.
I will get back after the reboot. (with NVMe that is fast.)
-T
On 08/24/2018 03:53 PM, ToddAndMargo wrote:
On 08/24/2018 03:40 PM, Samuel Sieb wrote:
On 08/24/2018 03:23 PM, ToddAndMargo wrote:
# insmod nf_conntrack_ftp insmod: ERROR: could not load module nf_conntrack_ftp: No such file or directory
That's because you didn't specify an actual file. Try passing the entire path to the module.
But the proper way is to use "modprobe nf_conntrack_ftp".
However, as several people have mentioned, there should not be any restrictions on using an ftp client. At the start of this thread, it would have been good if you had described the actual problem you are trying to solve. Please do that.
I just figured out I should be using modprobe and not insmod. I have iptables-config set to
IPTABLES_MODULES=nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp nf_nat_tftp
I will reboot and try again.
The actual problem is
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2 SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
Which is iptables not tracking the high ports ftp uses. And that has not changed since I posted.
I will get back after the reboot. (with NVMe that is fast.)
-T
I modprobe'ed all four in.
They showed in `lsmod | grep ftp`
I ran a systemctl restart iptables
No joy.
Then I rebooted. Now `lsmod | grep ftp` show nothing.
badwordbadwrodbadwordbadwrod
On 08/24/2018 04:22 PM, Samuel Sieb wrote:
On 08/24/2018 04:01 PM, ToddAndMargo wrote:
Please explain what you are trying to do and what is not working.
I am trying to get iptables to track ftp's usage of high ports.
And I did figure it out. See my followup to this thread.
It was really, really freaking obscure !!!!!
On 08/24/2018 03:53 PM, ToddAndMargo wrote:
The actual problem is
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2 SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
What is this showing?
Which is iptables not tracking the high ports ftp uses. And that has not changed since I posted.
Why do you need it tracked? What is the problem you are trying to solve?
Maybe show the iptables rules you are trying to implement?
On 08/23/2018 09:06 PM, Todd Chester wrote:
On 08/23/2018 12:14 PM, Mike Wright wrote:
On 08/23/2018 11:50 AM, ToddAndMargo wrote:
On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
:m
Hi Mike,
That is a description of what is happening.
I am looking for Fedora specific iptables instructions.
iptables rules are processed by the kernel. They are distribution agnostic.
:m
Yippee!!
I still the directions. What worked on RHEL, does not work on Fedora, so what am I doing wrong?
If you're trying to run an FTP _client_, I can't imagine why Fedora would block FTP. On a bone-stock XFCE F28 VM, ftp client operations seem to work fine with no futzing of the firewall (iptables). If you want to know what the ruleset is:
--------------------------------------------------------------------- [root@F28-virt ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT) target prot opt source destination OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references) target prot opt source destination FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination
Chain FORWARD_direct (1 references) target prot opt source destination
Chain FWDI_public (2 references) target prot opt source destination FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0 FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0 FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references) target prot opt source destination
Chain FWDI_public_deny (1 references) target prot opt source destination
Chain FWDI_public_log (1 references) target prot opt source destination
Chain FWDO_public (2 references) target prot opt source destination FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0 FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0 FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references) target prot opt source destination
Chain FWDO_public_deny (1 references) target prot opt source destination
Chain FWDO_public_log (1 references) target prot opt source destination
Chain INPUT_ZONES (1 references) target prot opt source destination IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination
Chain INPUT_direct (1 references) target prot opt source destination
Chain IN_public (2 references) target prot opt source destination IN_public_log all -- 0.0.0.0/0 0.0.0.0/0 IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0 IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
Chain IN_public_deny (1 references) target prot opt source destination
Chain IN_public_log (1 references) target prot opt source destination
Chain OUTPUT_direct (1 references) target prot opt source destination ---------------------------------------------------------------------
Your issue seems to be with a firewall or router upstream of your machine. As a test, you could (as root) do something drastic like:
# systemctl stop firewalld
to completely shut down your firewall, then test your FTP access. Don't forget to re-enable the firewall as soon as possible:
# systemctl start firewalld
As I mentioned before, the firewall on F28 is more restrictive _of_incoming_connections_ than RHEL 5/6 was. This should only affect you if you are trying to run an FTP _server_ on your machine. FTP client connections (those initiated on your machine) should not be restricted (that's the whole purpose of things like "ctstate RELATED,ESTABLISHED" ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - God is real...........unless declared integer or long - ----------------------------------------------------------------------
On 08/24/2018 09:35 AM, Rick Stevens wrote:
Here are my "passive rules"
# ftp passive mode (browser) stuff. Note: ftp_conntrack module is required, e.g.: # /etc/sysconfig/iptables-config: # IPTABLES_MODULES="ip_conntrack_ftp" # $tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport $unassgn --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp ! --syn --sport ftp -d $eth1_addr --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp ! --syn --sport ftp -d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT # The "ftpdata" session is a "new" one when it sends the SYN. However, the ftp_conntrack module marks it as related to its controlling # ftp session, so that state=related matches. This should deny any "ftpdata" session that doesn't have a controlling ftp session. #$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport $unassgn -d $ANY_IP --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT #$tbls -A dsl-in -i $eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn -d $eth1_addr --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT #$tbls -A dsl-for -i $eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn -d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr -d $ANY_IP -m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp ! --syn -s $ANY_IP -d $eth1_addr -m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp ! --syn -s $ANY_IP -d $internal_net -m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
On 08/25/18 05:20, ToddAndMargo wrote:
Here are my "passive rules"
I don't claim to know how any of this actually works. Yet I do recall the way connection tracking is handled has changed. Can't find the bugzilla's that gave some insight into the changes. I do run firewalld and I can tell you that if I do an "iptables -L" there is nothing that seems related to ftp.
But....
The IP address of ftp.yzu.edu.tw is 140.138.144.170. So.....
[egreshko@meimei ~]$ sudo conntrack -L | grep 144 conntrack v1.4.4 (conntrack-tools): 10 flow entries have been shown.
and after doing an ftp session with this host
egreshko@meimei ~]$ sudo conntrack -L | grep 144 conntrack v1.4.4 (conntrack-tools): 20 flow entries have been shown. tcp 6 115 TIME_WAIT src=192.168.1.18 dst=140.138.144.170 sport=49923 dport=14874 src=140.138.144.170 dst=192.168.1.18 sport=14874 dport=49923 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1 tcp 6 99 TIME_WAIT src=192.168.1.18 dst=140.138.144.170 sport=33475 dport=22211 src=140.138.144.170 dst=192.168.1.18 sport=22211 dport=33475 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1 tcp 6 431995 ESTABLISHED src=192.168.1.18 dst=140.138.144.170 sport=45576 dport=21 src=140.138.144.170 dst=192.168.1.18 sport=21 dport=45576 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
Passive FTP works fine. Active does not.
On 08/22/2018 03:47 PM, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add ip_nat_ftp and ip_conntrack_ftp to IPTABLES_MODULES. Delimiter is a space. For example: IPTABLES_MODULES=ip_nat_ftp ip_conntrack_ftp
To load changes, use: # /etc/rc.d/init.d/iptables restart # systemctl restart iptables
To check if modules are loaded, use lsmod
is Fedora doing FTP differently in iptables?
where do I find
ip_nat_ftp ip_conntrack_ftp now a days?
Many thanks, -T
Figured it out.
Reference: https://serverfault.com/questions/887309/iptables-nf-conntrack-ftp-not-worki...
# vi /etc/modprobe.d/iptables.conf options nf_conntrack_ftp ports=21
# systemctl restart iptables.
Problem solved
Talk about freaking obscure !!!!!!!!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HHHHHHHHHHHHHHHHHHHHHHHHHHHH !!!!!!!!!
Thank you all for your help and patience. -T
On 08/24/2018 04:10 PM, ToddAndMargo wrote:
# vi /etc/modprobe.d/iptables.conf options nf_conntrack_ftp ports=21
# systemctl restart iptables.
Problem solved
Ok, that's great. But I'm still curious about why you need connection tracking working. Perhaps I was misled in thinking you were referring to your client system. Is this actually something you're trying to do on a gateway server?
On 08/24/2018 04:28 PM, Samuel Sieb wrote:
Ok, that's great. But I'm still curious about why you need connection tracking working. Perhaps I was misled in thinking you were referring to your client system. Is this actually something you're trying to do on a gateway server?
Hi Samuel,
Firewalld takes care of this stuff automatically.
For a custom iptables firewall to track an ftp client's high ports, you have to implement my solution.
If not, you get:
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2 SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
which is ftp's high ports not being tracked.
-T
My notes, so no one else has to go through this crap:
How to track ftp's high port with Fedora and iptables:
Problem: iptables will not automatically track ftp's high ports (firewalld will).
Note: RHEL used ip_conntrack_ftp, and ip_nat_ftp
These have been superseded by nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp nf_nat_tftp
To set up ftp high port tracking.
1) in /etc/sysconfig/iptables-config add (under this first erase add)
IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp nf_nat_tftp"
2) in /etc/modprobe.d/iptables.conf add
nf_conntrack_ftp ports=21
3) restart iptables # systemctl restart iptables
4) to check modules
# lsmod | grep ftp
Sample passive and active ftp rules:
tbls=/sbin/iptables
Active:
$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport $allports --dport ftp-data -m state --state ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp --sport ftp-data -d $eth1_addr --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp --sport ftp-data -d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
passive:
$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport $unassgn --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp ! --syn --sport ftp -d $eth1_addr --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp ! --syn --sport ftp -d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr -d $ANY_IP -m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp ! --syn -s $ANY_IP -d $eth1_addr -m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp ! --syn -s $ANY_IP -d $internal_net -m helper --helper ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
Hi All,
Disregard me previous notes (into everyone's life a little humility must fall).
Okay, another OBSCURE obstacle to overcome:
nf_conntrack_ftp is disabled by default. To enable it: # echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
-T
Here are my revised notes:
How to track ftp's high port with Fedora and iptables:
Problem: iptables will not automatically track ftp's high ports (firewalld will).
Note: RHEL used ip_conntrack_ftp, and ip_nat_ftp
These have been superseded by nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp nf_nat_tftp
To set up ftp high port tracking.
1) in /etc/sysconfig/iptables-config add (under this first erase add)
IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp nf_nat_tftp"
2) nf_conntrack_ftp is disabled by default. To enable it: # echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
3) in /etc/modprobe.d/iptables.conf add
nf_conntrack_ftp ports=21
4) restart iptables # systemctl restart iptables
Note: you also have to reload your firewall rules after this too.
5) to check modules
# lsmod | grep ftp
Notes: filters are part of the kernal and are located in /lib/modules/`uname -r`/kernel/net/netfilter to use them, remove the ".ko.xz"
manual filter adds (disappear after a reboot): # modprobe nf_conntrack_ftp # modprobe nf_conntrack_tftp # modprobe nf_nat_ftp # modprobe nf_nat_tftp
Sample passive and active ftp rules:
tbls=/sbin/iptables
if [ "$(cat /proc/sys/net/netfilter/nf_conntrack_helper)" == "0" ]; then echo "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper" echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper fi
Active:
$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport $allports --dport ftp-data -m state --state ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp --sport ftp-data -d $eth1_addr --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp --sport ftp-data -d $internal_net --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
Passive:
$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport $unassgn --dport ftp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp ! --syn --sport ftp -d $eth1_addr --dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp ! --syn --sport ftp -d $internal_net --dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr -d $ANY_IP -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp ! --syn -s $ANY_IP -d $eth1_addr -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp ! --syn -s $ANY_IP -d $internal_net -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
Ed Greshko -
Mike Wright -
Rick Stevens -
Samuel Sieb -
Todd Chester -
ToddAndMargo