[Nagiosplug-help] Problem with check_ftp and iptables
Thomas Guyot-Sionnest
dermoth at aei.ca
Thu Oct 23 05:18:52 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 22/10/08 10:14 AM, Philipp Geschke wrote:
> Hello List,
>
> I have an issue with check_ftp and iptables that I am sure of, that a lot of you already ran into it,
> but I seem to be unable to find the right search keywords. My problem is, that check_ftp always returns a timeout.
>
> I am using check_ftp v1729 (nagios-plugins 1.4.11) with iptables v1.3.6 (Debian).
> I have iptables fed with a bunch of pretty simple port access rules and a DROP default rule.
>
> Of course I have a problem with active ftp in this scenario,
> because the ftp server cannot establish a connection to the client (My monitoring server, in this case).
>
> I managed to remove this problem with the following firewall rule in place:
>
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> and the kernel module ip_conntrack_ftp loaded:
>
> # lsmod | grep conntrack_ftp
> ip_conntrack_ftp 13136 0
>
> Now I am able to establish active ftp sessions FROM the monitoring server to any other server:
>
> # ftp backup-fra1.XXXXXXX
> Connected to backup-fra1.XXXXXXX
> 220 (vsFTPd 2.0.5)
> Name (backup-fra1.XXXXXX:root): xxxxx
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 200 PORT command successful. Consider using PASV. <--- connection is in active mode
> 150 Here comes the directory listing.
> -rwxrwx--- 1 1001 34 104857600 Mar 24 2008 100MB.DAT
> -rwxrwx--- 1 1001 34 1048576000 Mar 24 2008 1GB.DAT
> -rwxrwx--- 1 1001 34 524288000 Mar 24 2008 500MB.DAT
> -rw------- 1 1001 65534 3609118720 Oct 20 11:29 rhel-5.2-server-x86_64-dvd.iso
> drwxrwx--- 2 1001 34 4096 Feb 20 2008 test
> 226 Directory send OK.
>
>
> Unfortunately I am unable to use check_ftp on that server. It exits with a timeout every time I use it:
> # /usr/local/nagios/libexec/check_ftp -H mirror.XXXXXX -v
> Using service FTP
> Port: 21
> flags: 0x6
> Quit string: QUIT
>
> server_expect_count: 1
> 0: 220
> CRITICAL - Socket timeout after 10 seconds
>
> netstat showing an established connection on port 21:
> tcp 0 0 nagios.XXXXX:42974 xxx.xxx.xxx.xxx:ftp ESTABLISHED
>
> So I guess the problem is in the connection to the ftp data port, but I never realized, that check_ftp needs a data connection?
> The 220 message usually comes on the control connection (which is established).
>
> Did anybody run into this yet? What exactly is the problem, and how can I make it work?
check_ftp is simple a symlink to check_tcp. Called as such, check_tcp
uses port 21, expects a "220" string upon connection and sends a "QUIT"
command to disconnect.
You can see for yourself... check_ftp:
$ plugins/check_ftp -H ftp.kernel.org -v
Using service FTP
Port: 21
flags: 0x6
Quit string: QUIT
server_expect_count: 1
0: 220
received 32 bytes from host
#-raw-recv-------#
220 Welcome to ftp.kernel.org.
#-raw-recv-------#
looking for [220] in beginning of [220 Welcome to ftp.kernel.org.]
found it
FTP OK - 0.182 second response time on port 21 [220 Welcome to
ftp.kernel.org.]|time=0.181578s;;;0.000000;10.000000
Now check_tcp with the appropriate parameters (NB the difference in
flags is irrelevant to your socket timeout error):
$ plugins/check_tcp -H ftp.kernel.org -p 21 -e 220 -q QUIT -v
Using service TCP
Port: 21
flags: 0x2
Quit string: QUIT
server_expect_count: 1
0: 220
received 32 bytes from host
#-raw-recv-------#
220 Welcome to ftp.kernel.org.
#-raw-recv-------#
looking for [220] anywhere in [220 Welcome to ftp.kernel.org.]
found it
TCP OK - 0.181 second response time on port 21 [220 Welcome to
ftp.kernel.org.]|time=0.181221s;;;0.000000;10.000000
dermoth at dermoth:~/DEV/src/nagios-plugins/git/nagiosplug$ telnet
ftp.kernel.org 21
Trying 204.152.191.37...
Connected to pub.us.kernel.org.
Escape character is '^]'.
220 Welcome to ftp.kernel.org.
QUIT
221 Goodbye.
Connection closed by foreign host.
You should also be able to test yourself with telnet (Here I typed
"QUIT" after receiving the "220 Welcome" message, and the remote end
disconencted):
$ telnet ftp.kernel.org 21
Trying 204.152.191.37...
Connected to pub.us.kernel.org.
Escape character is '^]'.
220 Welcome to ftp.kernel.org.
QUIT
221 Goodbye.
Connection closed by foreign host.
Are you able to use all these methods? Also try specifying only the host
and port with check_tcp (no expect/quit strings).
- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFI/+0c6dZ+Kt5BchYRAuowAKDUkqjfUDId0OkwA/DheN7tgcwbFACg30d4
4B/dNA5h8pTL4KBsl66+8wY=
=6HyG
-----END PGP SIGNATURE-----
More information about the Help
mailing list