[Nagiosplug-help] Problem with check_ftp and iptables

Philipp Geschke nagios at pgmail.net
Wed Oct 22 16:14:16 CEST 2008

Previous message: [Nagiosplug-help] check_http
Next message: [Nagiosplug-help] Problem with check_ftp and iptables
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello List,

I have an issue with check_ftp and iptables that I am sure of, that a lot of you already ran into it,
but I seem to be unable to find the right search keywords. My problem is, that check_ftp always returns a timeout.

I am using check_ftp v1729 (nagios-plugins 1.4.11) with iptables v1.3.6 (Debian).
I have iptables fed with a bunch of pretty simple port access rules and a DROP default rule.

Of course I have a problem with active ftp in this scenario,
because the ftp server cannot establish a connection to the client (My monitoring server, in this case).

I managed to remove this problem with the following firewall rule in place:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

and the kernel module ip_conntrack_ftp loaded:

# lsmod | grep conntrack_ftp
ip_conntrack_ftp       13136  0

Now I am able to establish active ftp sessions FROM the monitoring server to any other server:

# ftp backup-fra1.XXXXXXX
Connected to backup-fra1.XXXXXXX
220 (vsFTPd 2.0.5)
Name (backup-fra1.XXXXXX:root): xxxxx
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.      <--- connection is in active mode
150 Here comes the directory listing.
-rwxrwx---    1 1001     34       104857600 Mar 24  2008 100MB.DAT
-rwxrwx---    1 1001     34       1048576000 Mar 24  2008 1GB.DAT
-rwxrwx---    1 1001     34       524288000 Mar 24  2008 500MB.DAT
-rw-------    1 1001     65534    3609118720 Oct 20 11:29 rhel-5.2-server-x86_64-dvd.iso
drwxrwx---    2 1001     34           4096 Feb 20  2008 test
226 Directory send OK.


Unfortunately I am unable to use check_ftp on that server. It exits with a timeout every time I use it:
# /usr/local/nagios/libexec/check_ftp -H mirror.XXXXXX -v
Using service FTP
Port: 21
flags: 0x6
Quit string: QUIT

server_expect_count: 1
        0: 220
CRITICAL - Socket timeout after 10 seconds

netstat showing an established connection on port 21:
tcp        0      0 nagios.XXXXX:42974 xxx.xxx.xxx.xxx:ftp       ESTABLISHED

So I guess the problem is in the connection to the ftp data port, but I never realized, that check_ftp needs a data connection?
The 220 message usually comes on the control connection (which is established).

Did anybody run into this yet? What exactly is the problem, and how can I make it work?

Any hint is appreciated!


--
Cheers,
Philipp

Previous message: [Nagiosplug-help] check_http
Next message: [Nagiosplug-help] Problem with check_ftp and iptables
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Help mailing list