In my system (Fedora Core 3 -- iptables 1.2.11-3.1.FC3), sometimes it seems that the ftp conntrack stop working, because I try to connect via FTP (PASV mode) and I get the return packets blocked. I have to re-execute the iptables script to make it work again. What causes this? Is it a problem with the modules? Or is it something else? By the way, is there an order in which I should execute the modules? The order I'm using is: /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_tables /sbin/modprobe ipt_limit /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_state /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat Best regards, Pastorino ---------- Forwarded message ---------- From: Eric Leblond <eric@xxxxxx> Date: Feb 1, 2006 7:43 AM Subject: Re: How make iptables script with NAT handle "active FTP"? To: Christian Seberino <seberino@xxxxxxxxxxxxxxx> Cc: Ray Schumacher <rays@xxxxxxxxxxxxx>, netfilter@xxxxxxxxxxxxxxxxxxx Le vendredi 27 janvier 2006 à 11:34 -0800, Christian Seberino a écrit : > Active FTP seems to need to open new sockets. > > This creates problems for NAT'ing firewalls. > > What is easiest way to open the right ports > > and do NAT'ing back to clients on 192.168.x.y IP addresses? Netfilter has a module called ip_conntrack_ftp which is used to take new socket opening into account for the ftp protocol. To use that feature you need t load the module and use a rule which accept packet RELATED to another connection : iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT BR, -- Éric Leblond, eleblond@xxxxxx Téléphone : 01 44 89 46 40, Fax : 01 44 89 45 01 INL, http://www.inl.fr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBD4ILInxA7CdMWjzIRAv1fAKCP4dzVO4A2NVhlKI4QdFRC6wKzpwCggON2 7WNtTi23KdXS4/TGMMkMtXw= =ubS8 -----END PGP SIGNATURE-----
