Ping a Specific Port

Question

S19N

Asked: 2016-12-31 06:30:07 +0800 CST2016-12-31 06:30:07 +0800 CST 2016-12-31 06:30:07 +0800 CST

ip_conntrack_ftp inside LXC

772

ProFTPd instance on a LXC container behind NAT
LXC container is using bridged networking
PassivePorts 60000 61000 has been defined in proftpd.conf
nf_nat_ftp and nf_conntrack_ftp loaded on the host running the container

iptables inside the container contains

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT

Why does Passive mode only work when I explicitly open passive ports with

-A INPUT -p tcp -m tcp --dport 60000:61000 -j ACCEPT

? Shouldn't this be automatically managed by the nf_conntrack_ftp helper module?

1 Answers

Voted

Helmut Emmelmann · Answer 1 · 2017-01-25T10:48:49+08:00

Helmut Emmelmann

2017-01-25T10:48:49+08:002017-01-25T10:48:49+08:00

I experienced the problem that after installing lxc together with a new version of the linux kernel needed, the connection tracker helpers stopped working. This, however, was not a problem of lxc but a problem of the kernel and I could get around it by adding

net.netfilter.nf_conntrack_helper=1

to sysctl.conf. Apparently newer kernels after 4.7 have better ways to configure the helpers (and probably using them would be a better answer to this question) and therefore net.netfilter.nf_conntrack_helper=0 is the default now, see here.

2

ip_conntrack_ftp inside LXC

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?