RE: [Zope] iptables locks out zope ftp
Thanks for the hint [root@piwebserver /]# lsmod | grep ip_conntrack_ftp ip_conntrack_ftp 5216 0 [ip_nat_ftp] ip_conntrack 22924 5 [ip_nat_ftp ip_conntrack_ftp ipt_state ip_conntrack_irc iptable_nat] Apparantly the order of doing things is very important [root@piwebserver /]# rmmod ip_nat_ftp [root@piwebserver /]# rmmod ip_conntrack_ftp [root@piwebserver /]# insmod ip_conntrack_ftp ports=21,8021 Using /lib/modules/2.4.18-3smp/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o [root@piwebserver /]# insmod ip_nat_ftp ports=21,8021 Using /lib/modules/2.4.18-3smp/kernel/net/ipv4/netfilter/ip_nat_ftp.o Restarted ip_tables Launched a FTP session directly into Zope at 8021 and everything works fine
-----Oorspronkelijk bericht----- Van: keo [mailto:keo@goa.hu] Verzonden: zondag 3 november 2002 19:42 Aan: Roel Van den Bergh Onderwerp: RE: [Zope] iptables locks out zope ftp
On Wed, 23 Oct 2002, Roel Van den Bergh wrote:
Thanks for the quick respond :-) Tried this first without succes # Load Modules /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_nat_ftp ports=21,8021 /sbin/modprobe ip_conntrack_ftp ports=21,8021 /sbin/modprobe ip_conntrack_irc
Then tried the following:
[root@server sbin]# rmmod ip_nat_ftp [root@server sbin]# insmod ip_nat_ftp ports=21,8021
worked fine
but I do not seem to be able to do the same with ip_conntrack_ftp
[root@server sbin]# rmmod ip_conntrack_ftp ip_conntrack_ftp: Device or resource busy
seems some other module is using it. what does lsmod say?
for me lsmod says for example:
ip_conntrack 12684 5 (autoclean) [ip_conntrack_irc ip_conntrack_ftp ip_nat_ftp ipt_MASQUERADE iptable_nat]
which means ip_conntrack is used by 5 modules (ip_conntrack_irc ip_conntrack_ftp ip_nat_ftp ipt_MASQUERADE iptable_nat)
if lsmod | grep ip_conntrack_ftp says:
ip_conntrack_ftp 3200 0 (unused)
then its unused, and some other thing may be there.
perhaps if you have an active connection, which uses ip_conntrack_ftp it wont let it be removed. check with lsof, for example, what is using which file , device, or port.
(lsof=list open files)
keo -- don't believe everything you think
Wow, that really seems like a hard way around the problem to me. Why mess with the kernel modules? By removing kernel modules, (1)you run the risk of crippling your iptables service (the service may tell you it's operational but if a kernel module is out of place, your SOL and you won't even know it) and (2)your changes will be lost when you reboot. Adding the appropriate chain rules would be the "normal" way to modify iptables. The following should be approximately sufficient for your problem (in addition to your normal chain rules): iptables -A INPUT -p all -i eth0 --dport 8021 -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -m state --state ESTABLESHED,RELATED -j ACCEPT I usually save all my rules to a shell script, run the script, then save the "in-memory" rules like this: `iptables-save > /etc/sysconfig/iptables` restart the service: `service iptables restart` check your iptables to make sure they took effect: `iptables -L` Bryan R. Capitano President, CAPITANO WEb CONSULTING Tel: 541-344-0747 Email: Bryan@capitanoweb.com URL: http://www.capitanoweb.com
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Roel Van den Bergh Sent: Wednesday, November 06, 2002 8:08 AM To: keo Cc: Zope Org; Tim p Subject: RE: [Zope] iptables locks out zope ftp Importance: High
Thanks for the hint
[root@piwebserver /]# lsmod | grep ip_conntrack_ftp ip_conntrack_ftp 5216 0 [ip_nat_ftp] ip_conntrack 22924 5 [ip_nat_ftp ip_conntrack_ftp ipt_state ip_conntrack_irc iptable_nat]
Apparantly the order of doing things is very important
[root@piwebserver /]# rmmod ip_nat_ftp [root@piwebserver /]# rmmod ip_conntrack_ftp [root@piwebserver /]# insmod ip_conntrack_ftp ports=21,8021 Using /lib/modules/2.4.18-3smp/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o [root@piwebserver /]# insmod ip_nat_ftp ports=21,8021 Using /lib/modules/2.4.18-3smp/kernel/net/ipv4/netfilter/ip_nat_ftp.o
Restarted ip_tables Launched a FTP session directly into Zope at 8021 and everything works fine
-----Oorspronkelijk bericht----- Van: keo [mailto:keo@goa.hu] Verzonden: zondag 3 november 2002 19:42 Aan: Roel Van den Bergh Onderwerp: RE: [Zope] iptables locks out zope ftp
On Wed, 23 Oct 2002, Roel Van den Bergh wrote:
Thanks for the quick respond :-) Tried this first without succes # Load Modules /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_nat_ftp ports=21,8021 /sbin/modprobe ip_conntrack_ftp ports=21,8021 /sbin/modprobe ip_conntrack_irc
Then tried the following:
[root@server sbin]# rmmod ip_nat_ftp [root@server sbin]# insmod ip_nat_ftp ports=21,8021
worked fine
but I do not seem to be able to do the same with ip_conntrack_ftp
[root@server sbin]# rmmod ip_conntrack_ftp ip_conntrack_ftp: Device or resource busy
seems some other module is using it. what does lsmod say?
for me lsmod says for example:
ip_conntrack 12684 5 (autoclean) [ip_conntrack_irc ip_conntrack_ftp ip_nat_ftp ipt_MASQUERADE iptable_nat]
which means ip_conntrack is used by 5 modules (ip_conntrack_irc ip_conntrack_ftp ip_nat_ftp ipt_MASQUERADE iptable_nat)
if lsmod | grep ip_conntrack_ftp says:
ip_conntrack_ftp 3200 0 (unused)
then its unused, and some other thing may be there.
perhaps if you have an active connection, which uses ip_conntrack_ftp it wont let it be removed. check with lsof, for example, what is using which file , device, or port.
(lsof=list open files)
keo -- don't believe everything you think
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (2)
-
Bryan Capitano -
Roel Van den Bergh