[NCLUG] debugging ftp iptables

Chris csohns at yahoo.com
Wed Jan 23 22:03:23 MST 2013 

Matt,

If you aren't aware, conntrack_ftp is used for passive FTP behind a NAT.  No one uses passive FTP anymore, active is "just easier" and less prone to difficulties.

I'm the kind of person who likes to know *why* things are failing, tcpdump is one of my best friends. If you're curious and understand TCP/IP and the FTP protocol enough--

`tcpdump -i <iface> -s 0 -nn -A host <ip of ftp server>'

This will show you all the ASCII bits of the FTP protocol transactions. Since the FTP protocol (sans data xmit) is all clear text, it'll be easy to spot where it's hanging up. Due note, the above packet capture filter will not be very useful if you have other things open to the FTP server host (like SSH), if you do, you'll need to add some port filtering.  Run the capture, then try connecting to the FTP server. If you've got some strange drops, re-transmits, windowing, or flipped bits, you'll likely see it here.  Even if you do spot something, it doesn't necessarily mean it's iptables (-j LOG on drops to see them), the issue could be your router, your ISP's CPE, or the far end.

Happy banging your head against a wall!  This is what I do for a living :-/

Glad you figured out the window size parameter.

Cheers,
Chris


________________________________
 From: Matt Rosing <rosing at peakfive.com>
To: nclug at nclug.org 
Sent: Wednesday, January 23, 2013 6:16 PM
Subject: Re: [NCLUG] debugging ftp iptables
 

>-I can upload a small file from my laptop to the server just fine (536
>bytes works, 537 fails). The file I'm trying to upload is 2500 bytes.

I found something interesting. 536 bytes is the default packet size, 
except the stock client thinks it's 4096 or something. Ftp should start 
off with some transaction to decide what the transfer size is but it 
doesn't apprear to do this. Or is it possible that my firewall is 
interfering with that transaction? When the server sends a RST packet 
does nf_conntrack_ftp send that packet through to the client?

Anyway, I also found a windows ftp switch that can specify the buffer 
size. So I set it to 500 bytes and now ftp works fine.

Now, for a really stupid question, how do I modify ftp.exe in windows to 
use the -w:500 option? or replace it with something else? I do linux so 
am not at all familiar with this (I know, this isn't the right place to 
ask). It's a dot-net application if that means anything.
_______________________________________________
NCLUG mailing list      NCLUG at lists.nclug.org

To unsubscribe, subscribe, or modify 
your settings, go to: 
http://lists.nclug.org/mailman/listinfo/nclug

More information about the NCLUG mailing list