On Feb 27 2008 18:12, Patrick McHardy wrote: >> > Why do you think so? Ports not specified as FTP command ports are not >> > parsed. >> >> Yes, I find it strange. On the router (192.168.222.1), I do: >> >> # iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121 >> -j DNAT --to 134.76.12.5:21 >> >> and on the client (192.168.222.24),: >> >> # conntrack -E expect & >> # ftp 134.76.12.5 2121 >> Connected to ftp5.gwdg.de. >> 220 "Welcome to FTP5.GWDG.DE." >> Name (ftp5.gwdg.de:jengelh): ftp >> 331 Please specify the password. >> Password: >> 230 Login successful. >> Remote system type is UNIX. >> Using binary mode to transfer files. >> ftp> dir >> 300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238 >> 229 Entering Extended Passive Mode (|||32238|) >> 150 Here comes the directory listing. >> drwx------ 2 ftp ftp 16384 Apr 20 2006 lost+found >> drwxr-xr-x 33 ftp ftp 4096 Feb 27 00:58 pub >> 226 Directory send OK. >> ftp> >> >> The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp >> does not parse streams to port 2121 by default, how could it have >> set up the expectation? > > When NATing packets the helper lookup is repeated based > on the final tuple. But the machine I am running conntrack -E and ftp from do not see the NATting taking place higher up in the routing chain, do they? - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
