Help! FTP DNAT from internet to intranet server not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hi,

we got a strange problem while trying to access our internal ftp server
from "outside" with iptables DNAT feature.
it simply doesnt work.

linux kernel is 2.4.29, iptables 1.3.1

this is the COMPLETE firewall script.
--------------------------------------
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD ACCEPT
iptables -F FORWARD

iptables -t nat -A PREROUTING -p tcp --destination-port 20:21 -i eth1 -j DNAT --to-destination 192.168.0.1
--------------------------------------

lsmod after loading firewall script:
------------------------------------
Module Size Used by Not tainted
ipt_MASQUERADE 1464 0 (autoclean)
ipt_state 536 0 (autoclean)
ip_nat_ftp 2736 0 (unused)
iptable_nat 18488 2 [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack_ftp 3856 1
ip_conntrack 20844 1 [ipt_MASQUERADE ipt_state ip_nat_ftp iptable_nat ip_conntrack_ftp]
------------------------------------

192.168.0.1 is up and running (IIS 6.0), and ftp works without problems.
eth1 is the external interface. we installed for test purposes proftpd on an other machine
(old redhat box with no firewall) -> same problem.
so we think the ftp server cant be the point...

when we try to acces the ftp server from outside, the ftp client gets a timeout.
there is no login, no error...nothing.

tcpdump on eth1 (external if a.b.c.d) is:
16:17:55.897243 IP [ftp client ip].3962 > a.b.c.d.ftp: S 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
16:17:58.815244 IP [ftp client ip].3962 > a.b.c.d.ftp: S 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
16:18:04.820680 IP [ftp client ip].3962 > a.b.c.d.ftp: S 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
tcpdump on eth0 (internal if 192.168.0.100) is:
16:17:55.897280 IP [ftp client ip].3962 > localhost.ftp: S 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
16:17:58.815258 IP [ftp client ip].3962 > localhost.ftp: S 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
16:18:04.820694 IP [ftp client ip].3962 > localhost.ftp: S 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>

when we insert the logging rule:
iptables -t nat -A PREROUTING -p tcp --destination-port 20:21 -i eth1 -j LOG --log-level 1 --log-prefix "DNAT FTP: "
we get the following logfile entry:
Mar 15 14:38:37 firewall kernel: DNAT FTP: IN=eth1 OUT= MAC=00:04:75:cb:c4:a1:00:07:0e:88:af:20:08:00 SRC=[ftp client ip] DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=17336 DF PROTO=TCP SPT=2031 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0

does anyone know, whats going on here?
am i missing something?

any help would be great....we ran out of ideas :(

kind regards


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux