On Feb 27 2008 15:36, Jozsef Kadlecsik wrote: > >On Wed, 27 Feb 2008, Jan Engelhardt wrote: > >> in nf_conntrack_ftp.c for example we find >> >> ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]); >> >> assuming the user does not specify any ports on modprobe, the default >> port list defaults to {21}, so ftp[0][x].tuple.src will contain port 21. >> But even ftp connections to non-21 ports are inspected for PORT >> commands. > >Why do you think so? Ports not specified as FTP command ports are not >parsed. Yes, I find it strange. On the router (192.168.222.1), I do: # iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121 -j DNAT --to 134.76.12.5:21 and on the client (192.168.222.24),: # conntrack -E expect & # ftp 134.76.12.5 2121 Connected to ftp5.gwdg.de. 220 "Welcome to FTP5.GWDG.DE." Name (ftp5.gwdg.de:jengelh): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238 229 Entering Extended Passive Mode (|||32238|) 150 Here comes the directory listing. drwx------ 2 ftp ftp 16384 Apr 20 2006 lost+found drwxr-xr-x 33 ftp ftp 4096 Feb 27 00:58 pub 226 Directory send OK. ftp> The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp does not parse streams to port 2121 by default, how could it have set up the expectation? Case 2. On the router: # iptables -t nat -A PREROUTING -p tcp --dport 2121 -j REDIRECT --to-ports 21 # rcvsftpd start On the client: # ftp 192.168.222.1 2121 Connected to 192.168.222.1. 220 (vsFTPd 2.0.5) Name (192.168.222.1:jengelh): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 229 Entering Extended Passive Mode (|||7366|) 150 Here comes the directory listing. 226 Directory send OK. and this does not analyze ftp, just as I would have guessed from the C code. But what's with case 1? - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html