[Nagiosplug-help] Problem with check_ftp and iptables

Thomas Guyot-Sionnest dermoth at aei.ca
Thu Oct 23 05:18:52 CEST 2008

Previous message: [Nagiosplug-help] Problem with check_ftp and iptables
Next message: [Nagiosplug-help] connection timed out
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/10/08 10:14 AM, Philipp Geschke wrote:
> Hello List,
> 
> I have an issue with check_ftp and iptables that I am sure of, that a lot of you already ran into it,
> but I seem to be unable to find the right search keywords. My problem is, that check_ftp always returns a timeout.
> 
> I am using check_ftp v1729 (nagios-plugins 1.4.11) with iptables v1.3.6 (Debian).
> I have iptables fed with a bunch of pretty simple port access rules and a DROP default rule.
> 
> Of course I have a problem with active ftp in this scenario,
> because the ftp server cannot establish a connection to the client (My monitoring server, in this case).
> 
> I managed to remove this problem with the following firewall rule in place:
> 
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> and the kernel module ip_conntrack_ftp loaded:
> 
> # lsmod | grep conntrack_ftp
> ip_conntrack_ftp       13136  0
> 
> Now I am able to establish active ftp sessions FROM the monitoring server to any other server:
> 
> # ftp backup-fra1.XXXXXXX
> Connected to backup-fra1.XXXXXXX
> 220 (vsFTPd 2.0.5)
> Name (backup-fra1.XXXXXX:root): xxxxx
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 200 PORT command successful. Consider using PASV.      <--- connection is in active mode
> 150 Here comes the directory listing.
> -rwxrwx---    1 1001     34       104857600 Mar 24  2008 100MB.DAT
> -rwxrwx---    1 1001     34       1048576000 Mar 24  2008 1GB.DAT
> -rwxrwx---    1 1001     34       524288000 Mar 24  2008 500MB.DAT
> -rw-------    1 1001     65534    3609118720 Oct 20 11:29 rhel-5.2-server-x86_64-dvd.iso
> drwxrwx---    2 1001     34           4096 Feb 20  2008 test
> 226 Directory send OK.
> 
> 
> Unfortunately I am unable to use check_ftp on that server. It exits with a timeout every time I use it:
> # /usr/local/nagios/libexec/check_ftp -H mirror.XXXXXX -v
> Using service FTP
> Port: 21
> flags: 0x6
> Quit string: QUIT
> 
> server_expect_count: 1
>         0: 220
> CRITICAL - Socket timeout after 10 seconds
> 
> netstat showing an established connection on port 21:
> tcp        0      0 nagios.XXXXX:42974 xxx.xxx.xxx.xxx:ftp       ESTABLISHED
> 
> So I guess the problem is in the connection to the ftp data port, but I never realized, that check_ftp needs a data connection?
> The 220 message usually comes on the control connection (which is established).
> 
> Did anybody run into this yet? What exactly is the problem, and how can I make it work?

check_ftp is simple a symlink to check_tcp. Called as such, check_tcp
uses port 21, expects a "220" string upon connection and sends a "QUIT"
command to disconnect.

You can see for yourself... check_ftp:

$ plugins/check_ftp -H ftp.kernel.org -v
Using service FTP
Port: 21
flags: 0x6
Quit string: QUIT

server_expect_count: 1
	0: 220
received 32 bytes from host
#-raw-recv-------#
220 Welcome to ftp.kernel.org.

#-raw-recv-------#
looking for [220] in beginning of [220 Welcome to ftp.kernel.org.]
found it
FTP OK - 0.182 second response time on port 21 [220 Welcome to
ftp.kernel.org.]|time=0.181578s;;;0.000000;10.000000


Now check_tcp with the appropriate parameters (NB the difference in
flags is irrelevant to your socket timeout error):

$ plugins/check_tcp -H ftp.kernel.org -p 21 -e 220 -q QUIT -v
Using service TCP
Port: 21
flags: 0x2
Quit string: QUIT

server_expect_count: 1
	0: 220
received 32 bytes from host
#-raw-recv-------#
220 Welcome to ftp.kernel.org.

#-raw-recv-------#
looking for [220] anywhere in [220 Welcome to ftp.kernel.org.]
found it
TCP OK - 0.181 second response time on port 21 [220 Welcome to
ftp.kernel.org.]|time=0.181221s;;;0.000000;10.000000
dermoth at dermoth:~/DEV/src/nagios-plugins/git/nagiosplug$ telnet
ftp.kernel.org 21
Trying 204.152.191.37...
Connected to pub.us.kernel.org.
Escape character is '^]'.
220 Welcome to ftp.kernel.org.
QUIT
221 Goodbye.
Connection closed by foreign host.

You should also be able to test yourself with telnet (Here I typed
"QUIT" after receiving the "220 Welcome" message, and the remote end
disconencted):

$ telnet ftp.kernel.org 21
Trying 204.152.191.37...
Connected to pub.us.kernel.org.
Escape character is '^]'.
220 Welcome to ftp.kernel.org.
QUIT
221 Goodbye.
Connection closed by foreign host.


Are you able to use all these methods? Also try specifying only the host
and port with check_tcp (no expect/quit strings).

- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI/+0c6dZ+Kt5BchYRAuowAKDUkqjfUDId0OkwA/DheN7tgcwbFACg30d4
4B/dNA5h8pTL4KBsl66+8wY=
=6HyG
-----END PGP SIGNATURE-----

Previous message: [Nagiosplug-help] Problem with check_ftp and iptables
Next message: [Nagiosplug-help] connection timed out
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Help mailing list