Klaus Ethgen <Klaus+lkml@xxxxxxxxx> wrote: > > 2. ftp server uses foreign (non-local) ip addresses in PORT command > > (this needs fixing of ftp server or use of 'loose' mode, see modinfo > > nf_conntrack_ftp) > > It is a standard proftpd with the following relevant settings: > PassivePorts 52100 52199 > MasqueradeAddress X.X.X.X > Where X.X.X.X is the outside IP. Try without the "MasqueradeAddress". The netfilter conntrack helper by default only installs expectations for PORT addresses that match the originating ip of the control connection. If the server already uses the to-be-natted-to address in the control connection the helper will ignore them unless you enable "loose" tracking (see modinfo above). Doing that has security implications (which can be worked around by restricting related matches like this: -s (address) -d (address) -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT -p tcp -m conntrack --ctstate RELATED -j DROP > > you seem to be using a bridge, maybe there is some bug w. > > call-iptables... I can have a look next week. > > Yes. This is using a bridge that bridges between the master and its KVM > hosts. > > How can I check or rule out this? I guess its caused by ProFtp masquerade setting. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
