Help! How do I load ip_conntrack_ftp? - Networking

This is a discussion on Help! How do I load ip_conntrack_ftp? - Networking ; Hi All, I am getting some real heat from a customer over not being able to use their software vendor's active mode ftp utilities. (Passive mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I presume all I need ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: Help! How do I load ip_conntrack_ftp?

  1. Help! How do I load ip_conntrack_ftp?

    Hi All,

    I am getting some real heat from a customer over not being able
    to use their software vendor's active mode ftp utilities. (Passive
    mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
    presume all I need to load is ip_conntrack_ftp" to get this to work.

    Questions:

    1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
    give me:

    # locate ip_conntrack_ftp
    /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
    usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h

    Is this the official "ip_conntrack_ftp" module? And, should I see the
    same thing on my customer's 4.6 machine?


    2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
    the correct command?

    modprobe ip_conntrack_ftp (Do I need to add any path to this command?)


    3) do I have to load modprobe ip_conntrack_ftp every time I reboot
    and should I need to stick whatever instruction you give me into
    my rc.local?


    4) is there a sequence where ip_conntrack_ftp should be loaded before or
    after iptables starts?

    Many thanks,
    -T

  2. Re: Help! How do I load ip_conntrack_ftp?

    On Wed, 22 Oct 2008 18:21:23 GMT, ToddAndMargo wrote:
    > Hi All,


    > I am getting some real heat from a customer over not being able
    > to use their software vendor's active mode ftp utilities. (Passive
    > mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
    > presume all I need to load is ip_conntrack_ftp" to get this to work.


    > Questions:


    > 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
    > give me:


    > # locate ip_conntrack_ftp
    > /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
    > usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h


    > Is this the official "ip_conntrack_ftp" module? And, should I see the
    > same thing on my customer's 4.6 machine?


    > 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
    > the correct command?


    > modprobe ip_conntrack_ftp (Do I need to add any path to this command?)


    I don't know about the command, however, look at your file:
    /etc/sysconfig/iptables-config
    the first non-comment line in my CentOS5 system is:
    IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp ip_conntrack_tftp"
    which I modified to load the last two. So modify your file and do:
    service iptables restart
    or have the local admin do the restart.

    > 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
    > and should I need to stick whatever instruction you give me into
    > my rc.local?


    Not if you modify the file shown above.

    > 4) is there a sequence where ip_conntrack_ftp should be loaded before or
    > after iptables starts?


    Let iptables figure that out.

    > Many thanks,


    Your welcome. You'd get much better response if you'd use the CentOS
    mailing list instead of this newsgroup.

    --
    Dale Dellutri (lose the Q's)

  3. Re: Help! How do I load ip_conntrack_ftp?

    Dale Dellutri wrote:
    > On Wed, 22 Oct 2008 18:21:23 GMT, ToddAndMargo wrote:
    >> Hi All,

    >
    >> I am getting some real heat from a customer over not being able
    >> to use their software vendor's active mode ftp utilities. (Passive
    >> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
    >> presume all I need to load is ip_conntrack_ftp" to get this to work.

    >
    >> Questions:

    >
    >> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
    >> give me:

    >
    >> # locate ip_conntrack_ftp
    >> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
    >> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h

    >
    >> Is this the official "ip_conntrack_ftp" module? And, should I see the
    >> same thing on my customer's 4.6 machine?

    >
    >> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
    >> the correct command?

    >
    >> modprobe ip_conntrack_ftp (Do I need to add any path to this command?)

    >
    > I don't know about the command, however, look at your file:
    > /etc/sysconfig/iptables-config
    > the first non-comment line in my CentOS5 system is:
    > IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp ip_conntrack_tftp"
    > which I modified to load the last two. So modify your file and do:
    > service iptables restart
    > or have the local admin do the restart.
    >
    >> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
    >> and should I need to stick whatever instruction you give me into
    >> my rc.local?

    >
    > Not if you modify the file shown above.
    >
    >> 4) is there a sequence where ip_conntrack_ftp should be loaded before or
    >> after iptables starts?

    >
    > Let iptables figure that out.
    >
    >> Many thanks,

    >
    > Your welcome. You'd get much better response if you'd use the CentOS
    > mailing list instead of this newsgroup.
    >


    Thank you! You saved my ass.

    I did post in CentOS. No one answered me. I love this group.

    -T

  4. Re: Help! How do I load ip_conntrack_ftp?

    Hello,

    ToddAndMargo a écrit :
    >
    > I am getting some real heat from a customer over not being able
    > to use their software vendor's active mode ftp utilities. (Passive
    > mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
    > presume all I need to load is ip_conntrack_ftp" to get this to work.
    >
    > Questions:
    >
    > 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
    > give me:
    >
    > # locate ip_conntrack_ftp
    > /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
    >
    > usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
    >
    > Is this the official "ip_conntrack_ftp" module?


    It is the FTP conntrack helper module of the installed kernel. I don't
    know what you mean by "official". Note that if the box performs some NAT
    the FTP NAT helper module ip_nat_ftp may also be required for proper
    operation.

    > And, should I see the
    > same thing on my customer's 4.6 machine?


    This one may have a different kernel version, so the location and name
    may differ slightly. In more recent kernels, the ip_conntrack_* and
    ip_nat_* modules have been renamed into nf_conntrack_* and nf_nat_*.

    > 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
    > the correct command?
    >
    > modprobe ip_conntrack_ftp


    Yes. You can use "insmod /path/to/ip_conntrack_ftp.ko" too, but it is
    less convenient.

    > (Do I need to add any path to this command?)


    Not when you use modprobe. You need to write the full path and file name
    when you use insmod.

    > 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
    > and should I need to stick whatever instruction you give me into
    > my rc.local?


    Yes, although there may be a more adequate location to list modules that
    must be loaded at boot time. This is usually distribution-specific, and
    I don't know about CentOS/RedHat.

    > 4) is there a sequence where ip_conntrack_ftp should be loaded before or
    > after iptables starts?


    No, it does not matter.

  5. Re: Help! How do I load ip_conntrack_ftp?

    Pascal Hambourg wrote:
    > Hello,
    >
    > ToddAndMargo a écrit :
    >>
    >> I am getting some real heat from a customer over not being able
    >> to use their software vendor's active mode ftp utilities. (Passive
    >> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
    >> presume all I need to load is ip_conntrack_ftp" to get this to work.
    >>
    >> Questions:
    >>
    >> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
    >> give me:
    >>
    >> # locate ip_conntrack_ftp
    >> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
    >>
    >> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
    >>
    >> Is this the official "ip_conntrack_ftp" module?

    >
    > It is the FTP conntrack helper module of the installed kernel. I don't
    > know what you mean by "official". Note that if the box performs some NAT
    > the FTP NAT helper module ip_nat_ftp may also be required for proper
    > operation.
    >
    >> And, should I see the
    >> same thing on my customer's 4.6 machine?

    >
    > This one may have a different kernel version, so the location and name
    > may differ slightly. In more recent kernels, the ip_conntrack_* and
    > ip_nat_* modules have been renamed into nf_conntrack_* and nf_nat_*.
    >
    >> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
    >> the correct command?
    >>
    >> modprobe ip_conntrack_ftp

    >
    > Yes. You can use "insmod /path/to/ip_conntrack_ftp.ko" too, but it is
    > less convenient.
    >
    >> (Do I need to add any path to this command?)

    >
    > Not when you use modprobe. You need to write the full path and file name
    > when you use insmod.
    >
    >> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
    >> and should I need to stick whatever instruction you give me into
    >> my rc.local?

    >
    > Yes, although there may be a more adequate location to list modules that
    > must be loaded at boot time. This is usually distribution-specific, and
    > I don't know about CentOS/RedHat.
    >
    >> 4) is there a sequence where ip_conntrack_ftp should be loaded before
    >> or after iptables starts?

    >
    > No, it does not matter.


    Thank you!

  6. Re: Help! How do I load ip_conntrack_ftp?

    Pascal Hambourg wrote:
    > Hello,
    >
    > ToddAndMargo a écrit :
    >>
    >> I am getting some real heat from a customer over not being able
    >> to use their software vendor's active mode ftp utilities. (Passive
    >> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
    >> presume all I need to load is ip_conntrack_ftp" to get this to work.
    >>
    >> Questions:
    >>
    >> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
    >> give me:
    >>
    >> # locate ip_conntrack_ftp
    >> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
    >>
    >> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
    >>
    >> Is this the official "ip_conntrack_ftp" module?

    >
    > It is the FTP conntrack helper module of the installed kernel. I don't
    > know what you mean by "official". Note that if the box performs some NAT
    > the FTP NAT helper module ip_nat_ftp may also be required for proper
    > operation.
    >
    >> And, should I see the
    >> same thing on my customer's 4.6 machine?

    >
    > This one may have a different kernel version, so the location and name
    > may differ slightly. In more recent kernels, the ip_conntrack_* and
    > ip_nat_* modules have been renamed into nf_conntrack_* and nf_nat_*.
    >
    >> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
    >> the correct command?
    >>
    >> modprobe ip_conntrack_ftp

    >
    > Yes. You can use "insmod /path/to/ip_conntrack_ftp.ko" too, but it is
    > less convenient.
    >
    >> (Do I need to add any path to this command?)

    >
    > Not when you use modprobe. You need to write the full path and file name
    > when you use insmod.
    >
    >> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
    >> and should I need to stick whatever instruction you give me into
    >> my rc.local?

    >
    > Yes, although there may be a more adequate location to list modules that
    > must be loaded at boot time. This is usually distribution-specific, and
    > I don't know about CentOS/RedHat.
    >
    >> 4) is there a sequence where ip_conntrack_ftp should be loaded before
    >> or after iptables starts?

    >
    > No, it does not matter.


    Follow up question: is it essentially the same

    1) to load the module with modprobe, or

    2) to place it in /etc/sysconfig/iptables-config,
    IPTABLES_MODULES="... ip_conntrack_ftp"?

    Many thanks,
    -T

  7. Re: Help! How do I load ip_conntrack_ftp?

    Pascal Hambourg wrote:

    > Note that if the box performs some NAT
    > the FTP NAT helper module ip_nat_ftp may also be required for proper
    > operation.


    Sorry for the hundred questions.

    Can ip_nat_ftp and ip_conntrack_ftp be both loaded,
    or is there some conflict?

    Many thanks,
    -T

  8. Re: Help! How do I load ip_conntrack_ftp?

    Pascal Hambourg wrote:
    > Hello,
    >
    > ToddAndMargo a écrit :
    >>
    >> I am getting some real heat from a customer over not being able
    >> to use their software vendor's active mode ftp utilities. (Passive
    >> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
    >> presume all I need to load is ip_conntrack_ftp" to get this to work.
    >>
    >> Questions:
    >>
    >> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
    >> give me:
    >>
    >> # locate ip_conntrack_ftp
    >> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
    >>
    >> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
    >>
    >> Is this the official "ip_conntrack_ftp" module?

    >
    > It is the FTP conntrack helper module of the installed kernel. I don't
    > know what you mean by "official". Note that if the box performs some NAT
    > the FTP NAT helper module ip_nat_ftp may also be required for proper
    > operation.
    >
    >> And, should I see the
    >> same thing on my customer's 4.6 machine?

    >
    > This one may have a different kernel version, so the location and name
    > may differ slightly. In more recent kernels, the ip_conntrack_* and
    > ip_nat_* modules have been renamed into nf_conntrack_* and nf_nat_*.
    >
    >> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
    >> the correct command?
    >>
    >> modprobe ip_conntrack_ftp

    >
    > Yes. You can use "insmod /path/to/ip_conntrack_ftp.ko" too, but it is
    > less convenient.
    >
    >> (Do I need to add any path to this command?)

    >
    > Not when you use modprobe. You need to write the full path and file name
    > when you use insmod.
    >
    >> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
    >> and should I need to stick whatever instruction you give me into
    >> my rc.local?

    >
    > Yes, although there may be a more adequate location to list modules that
    > must be loaded at boot time. This is usually distribution-specific, and
    > I don't know about CentOS/RedHat.
    >
    >> 4) is there a sequence where ip_conntrack_ftp should be loaded before
    >> or after iptables starts?

    >
    > No, it does not matter.


    Follow up question: is it essentially the same

    1) to load the module with modprobe, or

    2) to place it in /etc/sysconfig/iptables-config,
    IPTABLES_MODULES="... ip_conntrack_ftp"?

    Many thanks,
    -T

  9. Re: Help! How do I load ip_conntrack_ftp?

    ToddAndMargo a écrit :
    >
    > Can ip_nat_ftp and ip_conntrack_ftp be both loaded,
    > or is there some conflict?


    They do not conflict. Actually ip_nat_ftp requires ip_conntrack_ftp, so
    "modprobe ip_nat_ftp" should automatically load ip_conntrack_ftp, if not
    already loaded.

    I cannot reply about /etc/sysconfig/..., as it is specific to RedHat and
    derived distributions.

  10. Re: Help! How do I load ip_conntrack_ftp?

    Pascal Hambourg wrote:
    > ToddAndMargo a écrit :
    >>
    >> Can ip_nat_ftp and ip_conntrack_ftp be both loaded,
    >> or is there some conflict?

    >
    > They do not conflict. Actually ip_nat_ftp requires ip_conntrack_ftp, so
    > "modprobe ip_nat_ftp" should automatically load ip_conntrack_ftp, if not
    > already loaded.
    >
    > I cannot reply about /etc/sysconfig/..., as it is specific to RedHat and
    > derived distributions.


    Thank you!

  11. Re: Help! How do I load ip_conntrack_ftp?

    On Oct 22, 12:35*pm, ToddAndMargo
    wrote:

    > Follow up question: is it essentially the same
    >
    > 1) to load the module with modprobe, or
    >
    > 2) to place it in /etc/sysconfig/iptables-config,
    > IPTABLES_MODULES="... ip_conntrack_ftp"?


    Yes. If you look at /etc/init.d/iptables, you should see something
    like:

    # Load additional modules (helpers)
    if [ -n "$IPTABLES_MODULES" ]; then
    echo -n $"Loading additional $IPTABLES modules: "
    ret=0
    for mod in $IPTABLES_MODULES; do
    echo -n "$mod "
    modprobe $mod > /dev/null 2>&1
    let ret+=$?;
    done
    [ $ret -eq 0 ] && success || failure
    echo
    fi

    The main difference is that this script is run at the right point in
    the startup sequence. Though offhand, I can't think of any particular
    dependencies that might cause you a problem.

    More minor differences include that these modules will be unloaded if
    the iptables subsystem is stopped, will not be loaded if iptables is
    not configured to be used, and that a failure to load these modules
    will be considered a failure to start the iptables subsystem.

    I would suggest adding them to the iptables-config file unless there's
    a good reason not to.

    DS

  12. Re: Help! How do I load ip_conntrack_ftp?

    David Schwartz wrote:
    > On Oct 22, 12:35 pm, ToddAndMargo
    > wrote:
    >
    >> Follow up question: is it essentially the same
    >>
    >> 1) to load the module with modprobe, or
    >>
    >> 2) to place it in /etc/sysconfig/iptables-config,
    >> IPTABLES_MODULES="... ip_conntrack_ftp"?

    >
    > Yes. If you look at /etc/init.d/iptables, you should see something
    > like:
    >
    > # Load additional modules (helpers)
    > if [ -n "$IPTABLES_MODULES" ]; then
    > echo -n $"Loading additional $IPTABLES modules: "
    > ret=0
    > for mod in $IPTABLES_MODULES; do
    > echo -n "$mod "
    > modprobe $mod > /dev/null 2>&1
    > let ret+=$?;
    > done
    > [ $ret -eq 0 ] && success || failure
    > echo
    > fi
    >
    > The main difference is that this script is run at the right point in
    > the startup sequence. Though offhand, I can't think of any particular
    > dependencies that might cause you a problem.
    >
    > More minor differences include that these modules will be unloaded if
    > the iptables subsystem is stopped, will not be loaded if iptables is
    > not configured to be used, and that a failure to load these modules
    > will be considered a failure to start the iptables subsystem.
    >
    > I would suggest adding them to the iptables-config file unless there's
    > a good reason not to.
    >
    > DS


    Thank you for the thoughtful follow up!
    -T

  13. Re: Help! How do I load ip_conntrack_ftp?

    Dale Dellutri wrote:

    > I don't know about the command, however, look at your file:
    > /etc/sysconfig/iptables-config
    > the first non-comment line in my CentOS5 system is:
    > IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp ip_conntrack_tftp"
    > which I modified to load the last two. So modify your file and do:
    > service iptables restart
    > or have the local admin do the restart.


    It worked! Yipee!! Thank you, thank you, thank you!



    > Your welcome. You'd get much better response if you'd use the CentOS
    > mailing list instead of this newsgroup.


    Now this one a have to disagree with you. Still, no one has
    answered me on Cent OS. And, the stuff you told me saved
    my ass!

    Many, many thanks,
    -T

+ Reply to Thread