Suspected nf_conntrack_ftp module failure under Stretch

Fri, 15 Dec 2017 05:47:11 -0800 

Hello, there.

I'm running a Pure-FTPd service, with passive FTP, and I encountered
what seems to be a defect in the nf_conntrack_ftp module: it seems to
not recognize the passive FTP data connection as RELATED to the
established control connection.

IPtables rules for passive FTP connections are as follows:
-A INPUT -i ens3 -p tcp -m tcp --dport 50000:50500 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o ens3 -p tcp -m tcp --sport 50000:50500 -m state --state
RELATED,ESTABLISHED -j ACCEPT

Pure-FTPd is also configured to use this port range for passive
connections:
root@Ennyn /h/alexandre {⌗0/⬓6}[0]꩜# cat /etc/pure-
ftpd/conf/PassivePortRange 
50000 50500

The nf_conntrack_ftp module is also loaded:
root@Ennyn /h/alexandre {⌗0/⬓7}[0]꩜# lsmod | grep conntrack
nf_conntrack_ipv6      20480  3
nf_defrag_ipv6         36864  1 nf_conntrack_ipv6
xt_conntrack           16384  8
nf_conntrack_ipv4      16384  6
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
nf_conntrack_ftp       20480  0
nf_conntrack          114688  6 
nf_conntrack_ipv6,nf_conntrack_ftp,nf_conntrack_ipv4,xt_conntrack,nf_nat_ipv4,nf_nat
x_tables               36864  15 
xt_comment,xt_hashlimit,xt_LOG,ipt_REJECT,iptable_mangle,ip_tables,iptable_filter,xt_tcpudp,xt_limit,ip6t_REJECT,ip6table_mangle,xt_recent,ip6table_filter,xt_conntrack,ip6_tables
root@Ennyn /h/alexandre {⌗0/⬓6}[0]꩜# cat /etc/modules
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.

nf_conntrack_ftp

Yet, when I try to connect on FTP, the SYN packets coming from the client 
trying to open the data connection never matches the passive FTP IPtables INPUT 
rule, though I can see them using tcpdump on the server. If I delete its "-m 
state --state RELATED,ESTABLISHED" part, the passive connection establishes 
correctly. Besides, the conntrack shows nothing but the established control 
connection. All this looks like the nf_conntrack_ftp module no longer 
recognizes the data connection attempts from the client as RELATED to the 
established control connection. I removed the stateful part of the INPUT rule 
to bring the service up, but that is suboptimal. Did I do a mistake? Should I 
open a bug ticket?

Awaiting your answers,

Regards.

-- 
David Guyot
Administrateur système / Sysadmin
Europe Camions Interactive / Stockway
Moulin Collot F-88500 Ambacourt
Tél : +33 (0)3 29 30 47 85

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to