Problems with natted FTP connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I have a Firewall running on a Debian Sarge with iptables 1.2.11-10 and vanilla kernel 2.6.11.12. The ip_conntrack_ftp and ip_nat_ftp modules are compiled into the kernel (loadable module support is disabled).

Wenn I want to download files from my local net which is SNATed using FTP. After some files I get an error like this:

ftp> mget *
mget R1121320.ZIP?
200 Port command successful.
150 Opening data connection for R1121320.ZIP (3960 bytes).
226 Transfer ok
3960 bytes received in 0.07 secs (57.4 kB/s)
mget R1121325.ZIP?
200 Port command successful.
150 Opening data connection for R1121325.ZIP (4183 bytes).
226 Transfer ok
4183 bytes received in 0.05 secs (90.7 kB/s)
mget R1121330.ZIP?
200 Port command successful.
500 Unknown command.

When I add logging rules to log the traffic I see many ACK and SYN packages on any download but the last attempt show no SYN package.


Here is my firewall rule set:

###   localnet <-->  eth0 - firewall - eth2 <--> INET


#!/bin/sh
IPTABLES=/sbin/iptables
INT=eth0
EXT=eth2
IP_INT=172.18.0.0./16

$IPTABLES -F    # flush all chains
$IPTABLES -X    # remove all non-buildin chains

$IPTABLES -t nat -F    # flush all nat chains
$IPTABLES -t nat -X    # remove all non-buildin nat chains

$IPTABLES -P INPUT   ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT  ACCEPT

echo -n "Enabling IP Spoof Protection ... "
for i in /proc/sys/net/ipv4/conf/*/rp_filter;do
    echo "1" > $i
done

echo -n "Enabling Syn Flood Protection ... "
echo "1" > /proc/sys/net/ipv4/tcp_syncookies


echo -n "Ignoring Broadcast Echo Requests ... "
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts


echo -n "Enabling IP Forwarding ... "
echo "1" > /proc/sys/net/ipv4/ip_forward

#######################
# Enable masquerading #
#######################
echo "Enable inet masquerading"
$IPTABLES -t nat -A POSTROUTING -s $IP_INT -o $EXT -j MASQUERADE

# accept all packages
$IPTABLES -A INPUT  -j ACCEPT
$IPTABLES -A OUTPUT  -j ACCEPT
$IPTABLES -A FORWARD -j ACCEPT



On a debian woody with 2.4.26 vanilla kernel and iptables 1.2.6a-5.0woody2 everything works with the same IP-Tables script. I used that kernel config and build all modules into the 2.6.11.12 kernel.

CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y

The ftp download on my firewall itself works but not from internal, so it must be be related to ftp-NAT/CONNTRACK.

Who can help me?



Regards,
Thomas
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux