RE: FTP over NAT problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is very strange, have you given iptables 1.2.9 a try?

Also, I compile everything iptables-wise into the kernel except ftp/nat_ftp (incase you want to run an ftp/access one on a port other than 21), then I do not need to worry about having the appropriate module loaded. What kernel do you run btw? 2.4.26 here for my fw box.

 


From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Vanderveer, Derek
Sent: Tuesday, May 25, 2004 12:42 PM
To: 'netfilter@xxxxxxxxxxxxxxxxxxx'
Subject: FTP over NAT problem

 

Hey all,

 

I've been fighting with this problem for over a week, and I've made no headway.  I have a server with a bank of serial ports, all attached to modems.  We use scripts to raise and drop lines to various customer sites that we support.  In the past, we've had great success using iptables to handle forwarding and NAT of LAN traffic going out over the wire to the customer's servers.  My latest server, however, doesn't handle FTP, PCAnywhere or RDP at all, using the same iptables commands as the older servers.  It has a slightly newer (v1.2.6a vs. 1.2.5) version of iptables, but otherwise isn't much different.

 

Telnet and ICMP work fine, but PCA and RDP never connect.  You can connect to a server using FTP, and browse in Active or Passive mode without any problems.  As soon as you try to transfer a file, however, the transfer hangs immediately, regardless of whether you use Active or Passive.  I've pared my iptables script down to the bare minimum that gets me to this state after a full reboot, and here it is:

 

modprobe ip_conntrack_ftp

modprobe ip_nat_ftp

iptables -P FORWARD DROP

iptables -F FORWARD

iptables -t nat -P POSTROUTING ACCEPT

iptables -t nat -F POSTROUTING

iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

iptables -A FORWARD -i ppp+ -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Distro is Debian 3.0r2, kernel is 2.4.26.  All non-experimental netfilter kernel options are compiled as modules; except for ip_conntrack_ftp and ip_nat_ftp, I just let the others autoload as I issue the iptables statements above.  Can anyone shed any light on why this is happening??  The same iptables ruleset works fine on my other servers, and I'm stumped!

     Derek V.


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux