Help! How do I load ip_conntrack_ftp?

Hi All,

I am getting some real heat from a customer over not being able
to use their software vendor's active mode ftp utilities. (Passive
mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
presume all I need to load is ip_conntrack_ftp" to get this to work.

Questions:

1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
give me:

# locate ip_conntrack_ftp
/lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h

Is this the official "ip_conntrack_ftp" module? And, should I see the
same thing on my customer's 4.6 machine?


2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
the correct command?

modprobe ip_conntrack_ftp (Do I need to add any path to this command?)


3) do I have to load modprobe ip_conntrack_ftp every time I reboot
and should I need to stick whatever instruction you give me into
my rc.local?


4) is there a sequence where ip_conntrack_ftp should be loaded before or
after iptables starts?

Many thanks,
-T

On Wed, 22 Oct 2008 18:21:23 GMT, ToddAndMargo <(E-Mail Removed)> wrote:
> Hi All,

> I am getting some real heat from a customer over not being able
> to use their software vendor's active mode ftp utilities. (Passive
> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
> presume all I need to load is ip_conntrack_ftp" to get this to work.

> Questions:

> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
> give me:

> # locate ip_conntrack_ftp
> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h

> Is this the official "ip_conntrack_ftp" module? And, should I see the
> same thing on my customer's 4.6 machine?

> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
> the correct command?

> modprobe ip_conntrack_ftp (Do I need to add any path to this command?)

I don't know about the command, however, look at your file:
/etc/sysconfig/iptables-config
the first non-comment line in my CentOS5 system is:
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp ip_conntrack_tftp"
which I modified to load the last two. So modify your file and do:
service iptables restart
or have the local admin do the restart.

> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
> and should I need to stick whatever instruction you give me into
> my rc.local?

Not if you modify the file shown above.

> 4) is there a sequence where ip_conntrack_ftp should be loaded before or
> after iptables starts?

Let iptables figure that out.

> Many thanks,

Your welcome. You'd get much better response if you'd use the CentOS
mailing list instead of this newsgroup.

--
Dale Dellutri <(E-Mail Removed)> (lose the Q's)

Dale Dellutri wrote:
> On Wed, 22 Oct 2008 18:21:23 GMT, ToddAndMargo <(E-Mail Removed)> wrote:
>> Hi All,
>
>> I am getting some real heat from a customer over not being able
>> to use their software vendor's active mode ftp utilities. (Passive
>> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
>> presume all I need to load is ip_conntrack_ftp" to get this to work.
>
>> Questions:
>
>> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
>> give me:
>
>> # locate ip_conntrack_ftp
>> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
>> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
>
>> Is this the official "ip_conntrack_ftp" module? And, should I see the
>> same thing on my customer's 4.6 machine?
>
>> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
>> the correct command?
>
>> modprobe ip_conntrack_ftp (Do I need to add any path to this command?)
>
> I don't know about the command, however, look at your file:
> /etc/sysconfig/iptables-config
> the first non-comment line in my CentOS5 system is:
> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp ip_conntrack_tftp"
> which I modified to load the last two. So modify your file and do:
> service iptables restart
> or have the local admin do the restart.
>
>> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
>> and should I need to stick whatever instruction you give me into
>> my rc.local?
>
> Not if you modify the file shown above.
>
>> 4) is there a sequence where ip_conntrack_ftp should be loaded before or
>> after iptables starts?
>
> Let iptables figure that out.
>
>> Many thanks,
>
> Your welcome. You'd get much better response if you'd use the CentOS
> mailing list instead of this newsgroup.
>

Thank you! You saved my ass.

I did post in CentOS. No one answered me. I love this group.

-T

Hello,

ToddAndMargo a écrit :
>
> I am getting some real heat from a customer over not being able
> to use their software vendor's active mode ftp utilities. (Passive
> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
> presume all I need to load is ip_conntrack_ftp" to get this to work.
>
> Questions:
>
> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
> give me:
>
> # locate ip_conntrack_ftp
> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
>
> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
>
> Is this the official "ip_conntrack_ftp" module?

It is the FTP conntrack helper module of the installed kernel. I don't
know what you mean by "official". Note that if the box performs some NAT
the FTP NAT helper module ip_nat_ftp may also be required for proper
operation.

> And, should I see the
> same thing on my customer's 4.6 machine?

This one may have a different kernel version, so the location and name
may differ slightly. In more recent kernels, the ip_conntrack_* and
ip_nat_* modules have been renamed into nf_conntrack_* and nf_nat_*.

> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
> the correct command?
>
> modprobe ip_conntrack_ftp

Yes. You can use "insmod /path/to/ip_conntrack_ftp.ko" too, but it is
less convenient.

> (Do I need to add any path to this command?)

Not when you use modprobe. You need to write the full path and file name
when you use insmod.

> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
> and should I need to stick whatever instruction you give me into
> my rc.local?

Yes, although there may be a more adequate location to list modules that
must be loaded at boot time. This is usually distribution-specific, and
I don't know about CentOS/RedHat.

> 4) is there a sequence where ip_conntrack_ftp should be loaded before or
> after iptables starts?

No, it does not matter.

Pascal Hambourg wrote:
> Hello,
>
> ToddAndMargo a écrit :
>>
>> I am getting some real heat from a customer over not being able
>> to use their software vendor's active mode ftp utilities. (Passive
>> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
>> presume all I need to load is ip_conntrack_ftp" to get this to work.
>>
>> Questions:
>>
>> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
>> give me:
>>
>> # locate ip_conntrack_ftp
>> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
>>
>> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
>>
>> Is this the official "ip_conntrack_ftp" module?
>
> It is the FTP conntrack helper module of the installed kernel. I don't
> know what you mean by "official". Note that if the box performs some NAT
> the FTP NAT helper module ip_nat_ftp may also be required for proper
> operation.
>
>> And, should I see the
>> same thing on my customer's 4.6 machine?
>
> This one may have a different kernel version, so the location and name
> may differ slightly. In more recent kernels, the ip_conntrack_* and
> ip_nat_* modules have been renamed into nf_conntrack_* and nf_nat_*.
>
>> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
>> the correct command?
>>
>> modprobe ip_conntrack_ftp
>
> Yes. You can use "insmod /path/to/ip_conntrack_ftp.ko" too, but it is
> less convenient.
>
>> (Do I need to add any path to this command?)
>
> Not when you use modprobe. You need to write the full path and file name
> when you use insmod.
>
>> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
>> and should I need to stick whatever instruction you give me into
>> my rc.local?
>
> Yes, although there may be a more adequate location to list modules that
> must be loaded at boot time. This is usually distribution-specific, and
> I don't know about CentOS/RedHat.
>
>> 4) is there a sequence where ip_conntrack_ftp should be loaded before
>> or after iptables starts?
>
> No, it does not matter.

Thank you!

Pascal Hambourg wrote:
> Hello,
>
> ToddAndMargo a écrit :
>>
>> I am getting some real heat from a customer over not being able
>> to use their software vendor's active mode ftp utilities. (Passive
>> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
>> presume all I need to load is ip_conntrack_ftp" to get this to work.
>>
>> Questions:
>>
>> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
>> give me:
>>
>> # locate ip_conntrack_ftp
>> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
>>
>> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
>>
>> Is this the official "ip_conntrack_ftp" module?
>
> It is the FTP conntrack helper module of the installed kernel. I don't
> know what you mean by "official". Note that if the box performs some NAT
> the FTP NAT helper module ip_nat_ftp may also be required for proper
> operation.
>
>> And, should I see the
>> same thing on my customer's 4.6 machine?
>
> This one may have a different kernel version, so the location and name
> may differ slightly. In more recent kernels, the ip_conntrack_* and
> ip_nat_* modules have been renamed into nf_conntrack_* and nf_nat_*.
>
>> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
>> the correct command?
>>
>> modprobe ip_conntrack_ftp
>
> Yes. You can use "insmod /path/to/ip_conntrack_ftp.ko" too, but it is
> less convenient.
>
>> (Do I need to add any path to this command?)
>
> Not when you use modprobe. You need to write the full path and file name
> when you use insmod.
>
>> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
>> and should I need to stick whatever instruction you give me into
>> my rc.local?
>
> Yes, although there may be a more adequate location to list modules that
> must be loaded at boot time. This is usually distribution-specific, and
> I don't know about CentOS/RedHat.
>
>> 4) is there a sequence where ip_conntrack_ftp should be loaded before
>> or after iptables starts?
>
> No, it does not matter.

Follow up question: is it essentially the same

1) to load the module with modprobe, or

2) to place it in /etc/sysconfig/iptables-config,
IPTABLES_MODULES="... ip_conntrack_ftp"?

Many thanks,
-T

Pascal Hambourg wrote:

> Note that if the box performs some NAT
> the FTP NAT helper module ip_nat_ftp may also be required for proper
> operation.

Sorry for the hundred questions.

Can ip_nat_ftp and ip_conntrack_ftp be both loaded,
or is there some conflict?

Many thanks,
-T

Pascal Hambourg wrote:
> Hello,
>
> ToddAndMargo a écrit :
>>
>> I am getting some real heat from a customer over not being able
>> to use their software vendor's active mode ftp utilities. (Passive
>> mode works fine, NAT and all. Vendor WILL NOT BUDGE.) I
>> presume all I need to load is ip_conntrack_ftp" to get this to work.
>>
>> Questions:
>>
>> 1) I am sitting on a CentOS 5.2 machine (customer is 4.6). Locate
>> give me:
>>
>> # locate ip_conntrack_ftp
>> /lib/modules/2.6.18-92.1.13.el5/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
>>
>> usr/src/kernels/2.6.18-92.1.13.el5-i686/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
>>
>> Is this the official "ip_conntrack_ftp" module?
>
> It is the FTP conntrack helper module of the installed kernel. I don't
> know what you mean by "official". Note that if the box performs some NAT
> the FTP NAT helper module ip_nat_ftp may also be required for proper
> operation.
>
>> And, should I see the
>> same thing on my customer's 4.6 machine?
>
> This one may have a different kernel version, so the location and name
> may differ slightly. In more recent kernels, the ip_conntrack_* and
> ip_nat_* modules have been renamed into nf_conntrack_* and nf_nat_*.
>
>> 2) how do I load the ip_conntrack_ftp module into Cent OS 4.6? Is this
>> the correct command?
>>
>> modprobe ip_conntrack_ftp
>
> Yes. You can use "insmod /path/to/ip_conntrack_ftp.ko" too, but it is
> less convenient.
>
>> (Do I need to add any path to this command?)
>
> Not when you use modprobe. You need to write the full path and file name
> when you use insmod.
>
>> 3) do I have to load modprobe ip_conntrack_ftp every time I reboot
>> and should I need to stick whatever instruction you give me into
>> my rc.local?
>
> Yes, although there may be a more adequate location to list modules that
> must be loaded at boot time. This is usually distribution-specific, and
> I don't know about CentOS/RedHat.
>
>> 4) is there a sequence where ip_conntrack_ftp should be loaded before
>> or after iptables starts?
>
> No, it does not matter.

Follow up question: is it essentially the same

1) to load the module with modprobe, or

2) to place it in /etc/sysconfig/iptables-config,
IPTABLES_MODULES="... ip_conntrack_ftp"?

Many thanks,
-T

ToddAndMargo a écrit :
>
> Can ip_nat_ftp and ip_conntrack_ftp be both loaded,
> or is there some conflict?

They do not conflict. Actually ip_nat_ftp requires ip_conntrack_ftp, so
"modprobe ip_nat_ftp" should automatically load ip_conntrack_ftp, if not
already loaded.

I cannot reply about /etc/sysconfig/..., as it is specific to RedHat and
derived distributions.

Pascal Hambourg wrote:
> ToddAndMargo a écrit :
>>
>> Can ip_nat_ftp and ip_conntrack_ftp be both loaded,
>> or is there some conflict?
>
> They do not conflict. Actually ip_nat_ftp requires ip_conntrack_ftp, so
> "modprobe ip_nat_ftp" should automatically load ip_conntrack_ftp, if not
> already loaded.
>
> I cannot reply about /etc/sysconfig/..., as it is specific to RedHat and
> derived distributions.

Thank you!