FTP problem - nf_ct_ftp: dropping packet: partial matching of 227

[sitte]

I'm trying to backup user in DirectAdmin on server "X.X.X.123" and send backup via ftp to another DirectAdmin server "X.X.X.124". I got error on serwer "X.X.X.123":

/usr/local/bin/curl returned error code 7 curl: (7) Failed to connect to X.X.X.124 port 21: Connection refused FTP information invalid.

On server ".124" in messages log I have:

Oct 21 10:52:55 server-X-X-X-124 kernel: nf_ct_ftp: dropping packet: partial matching of `227 ' IN= OUT= SRC=X.X.X.124 DST=X.X.X.123 LEN=77 TOS=0x10 PREC=0x00 TTL=64 ID=54342 DF PROTO=TCP SPT=21 DPT=35902 SEQ=1069358425 ACK=428360306 WINDOW=227 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A5A16EFE701EA45E90101050A1988427119884272)

Both servers works with another serwers, both are fully accesible via ftp from TotalCommander, ftp credentials checked many times.
I tried to increase PassivePortRange but no results
I tried swithing from PureFTP to ProFTP but no results
I tried adding X.X.X.123 as allowed and ignored on X.X.X.124 firewall.

I would appreciate any hints.

 

[Richard G]

on server "X.X.X.123" and send backup via ftp to another DirectAdmin server "X.X.X.124".

Are you sure it's not the other way around? Because from the log from the .124 I read:

SRC=X.X.X.124 DST=X.X.X.123

which means the source .124 is sending to destination .123. That's the other way around as you are saying.

Also check this:

PROTO=TCP SPT=21 DPT=35902

Seems passive FTP is used which can also be seen from the "partial matching 227".

Port 35902 is within the passive port range Directadmin is using.

I only wonder that DA is using passive ports. Curl error 7 can occur when curl is trying to connect to a non default port (pasv is also non default).

At both servers do a csf -x and see if it works in that case.

If yes, then on post servers be sure that port 20 and 21 are open on both servers in both directions (so incoming and outgoing) and the same for port 35000:35999 so pasv ftp is correct.

 

[Hostmavi]

@site
1. Your OS both servers.?
2. Do you install csf on both servers.
3. output from command cat /proc/sys/net/netfilter/nf_conntrack_helper

 

[sitte]

Are you sure it's not the other way around? Because from the log from the .124

SRC=X.X.X.124 DST=X.X.X.123

which means the source .124 is sending to destination .123. That's the other way around as you are saying.

I'm sure of direction, it's X.X.X.123 to X.X.X.124. I think that log is about answer that is why src is X.X.X.124

Seems passive FTP is used which can also be seen from the "partial matching 227". Port 35902 is within the passive port range Directadmin is using. I only wonder that DA is using passive ports. Curl error 7 can occur when curl is trying to connect to a non default port (pasv is also non default).
At both servers do a csf -x and see if it works in that case.

I do not have full control on source X.X.X.123, I cannot disable csf on it but I disabled it on desitination with no result.
If destination server has in logs "nf_ct_ftp: dropping packet" then the connection cannot be blocked by source serwer? I'm not sure

If yes, then on post servers be sure that port 20 and 21 are open on both servers in both directions (so incoming and outgoing) and the same for port 35000:35999 so pasv ftp is correct.

I checked, both incoming and outcomming ports are open.

Strange is that I can connect via Total Commander with this server regardless of whether I select passive or active mode. Another DirectAdmin server can make uploads with no problem.

 

[sitte]

@site
1. Your OS both servers.?

Source: CentoOS 7
Destionation: CentoOS 7

2. Do you install csf on both servers.

Source is managed, there is csf active, I cannot disable it
Destination is self managed, csf is active but I deactivate it for a moment with no result

3. output from command cat /proc/sys/net/netfilter/nf_conntrack_helper

# cat /proc/sys/net/netfilter/nf_conntrack_helper
1

 

[sitte]

The problem disappeared after updating Curl on the source server.

I only wonder that DA is using passive ports. Curl error 7 can occur when curl is trying to connect to a non default port (pasv is also non default).

Thank you very much for directing what could be the problem.

 

[Richard G]

The problem disappeared after updating Curl on the source server.

Thank you for sharing the solution!