Hey all,
Just to confirm, this was not an iptables problem. It was an issue with a newer driver version for the serial card we're using to hook up many modems to the server. Regards,
Derek V.
-----Original Message-----
From: Vanderveer, Derek
Sent: Wednesday, May 26, 2004 6:09 PM
To: 'Piszcz, Justin Michael'; 'netfilter@xxxxxxxxxxxxxxxxxxx'
Subject: RE: FTP over NAT problem
Hey Justin, thanks for your reply.
At this point, we're considering pulling the server for some testing, so as soon it's out of the production environment, I may try upgrading iptables to the 1.2.9 version. Further testing has revealed that it may not be related to iptables at all, though, since using FTP from a console window on the server suffers the same problems (I can browse and even download in active and passive mode, but as soon as I uploaded, the connection hangs). As I understand it, traffic originating from the server itself should not be NAT'ed, so conntrack may not be the problem. Is that accurate? Perhaps the card or breakout box used to attach 16 modems to one server is causing the problem...
To answer your questions, though, I had compiled everything as modules so I could load just the specific ones I needed, in case some other iptables option was causing my problem. Obviously that's not the case, but in the end it was useful for determining the minimum selection of iptables modules we require. As for kernel version, it's the same as yours, 2.4.26. I think at this point I need to investigate some of the other factors here (prime target being that 16-port serial card... all serial cards at this point in our organization have been 8-port models, though from the same vendor). If I find something that resolves the problem, and it's related to iptables, I'll be sure to post the solution.
Regards,
Derek V.
-----Original Message-----
From: Piszcz, Justin Michael [mailto:justin.piszcz@xxxxxxxxxxxx]
Sent: Wednesday, May 26, 2004 7:08 AM
To: Vanderveer, Derek; netfilter@xxxxxxxxxxxxxxxxxxx
Subject: RE: FTP over NAT problem
This is very strange, have you given iptables 1.2.9 a try?
Also, I compile everything iptables-wise into the kernel except ftp/nat_ftp (incase you want to run an ftp/access one on a port other than 21), then I do not need to worry about having the appropriate module loaded. What kernel do you run btw? 2.4.26 here for my fw box.
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Vanderveer, Derek
Sent: Tuesday, May 25, 2004 12:42 PM
To: 'netfilter@xxxxxxxxxxxxxxxxxxx'
Subject: FTP over NAT problem
Hey all,
I've been fighting with this problem for over a week, and I've made no headway. I have a server with a bank of serial ports, all attached to modems. We use scripts to raise and drop lines to various customer sites that we support. In the past, we've had great success using iptables to handle forwarding and NAT of LAN traffic going out over the wire to the customer's servers. My latest server, however, doesn't handle FTP, PCAnywhere or RDP at all, using the same iptables commands as the older servers. It has a slightly newer (v1.2.6a vs. 1.2.5) version of iptables, but otherwise isn't much different.
Telnet and ICMP work fine, but PCA and RDP never connect. You can connect to a server using FTP, and browse in Active or Passive mode without any problems. As soon as you try to transfer a file, however, the transfer hangs immediately, regardless of whether you use Active or Passive. I've pared my iptables script down to the bare minimum that gets me to this state after a full reboot, and here it is:
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Distro is Debian 3.0r2, kernel is 2.4.26. All non-experimental netfilter kernel options are compiled as modules; except for ip_conntrack_ftp and ip_nat_ftp, I just let the others autoload as I issue the iptables statements above. Can anyone shed any light on why this is happening?? The same iptables ruleset works fine on my other servers, and I'm stumped!
Derek V.
