I am trying to set up an FTP server behind a NAT'ing firewall. Active FTP works, but passive does not. It appears that conntrack is not recognizing the passive connection as related. when I look at the client (using a sniffer), I can see the initial handshake take place and then I see the FTP server send back the new port for the passive connection. The client sends a SYN to the new port, but gets no reply. I can see the SYN arrive at the firewall, but it does not get picked up by any rules. my iptables has a log rule to show if its classified as NEW, RELATED, or ESTABLISHED, and it shows a log entry as NEW. I have a log rule at the end of the PREROUTING chain to show that the packet falls all the way through, which it does. if I examine /proc/net/ip_conntrack, I can see the original ftp connection listed as established. If I add a rule to DNAT any new connections on ports 1024:65535 and forward those to my ftp server, then passive ftp works. When I try that only for RELATED, ESTABLISHED connections, it fails. why doesnt ip_conntrack recognize the passive connection as RELATED? any clues for further investigation would be much appreciated. I'm stumped. here are the config details: I am running CentOS 4.0 w/ kernel 2.6.9-5.ELsmp #1 SMP. I am using iptables package iptables-1.2.11-3.1.RHEL4 I have these ip modules loaded (according to lsmod) ip_nat_ftp, ip_conntrack_ftp, iptable_mangle, iptable_nat , ipt_LOG , ipt_state, ip_conntrack, iptable_filter, ip_tables here are my iptables entries (the IP's have been changed). 77.77.77.4 is my firewall, 192.168.0.101 is my ftp server, 88.88.88.1 is the computer I'm using on the outside to test. eth2 is the outside interface, eth0 is inside. filter :INPUT DROP [61:10719] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :allowed - [0:0] :icmp_packets - [0:0] :tcp_packets - [0:0] :udp_packets - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.4.0/255.255.255.0 -i eth0 -j ACCEPT -A INPUT -s 127.0.0.1 -i lo -j ACCEPT -A INPUT -s 192.168.4.1 -i lo -j ACCEPT -A INPUT -s 77.77.77.4 -i lo -j ACCEPT -A FORWARD -s 88.88.88.1 -j LOG --log-prefix "FOR:" -A FORWARD -d 88.88.88.1 -j LOG --log-prefix "FOR:" -A FORWARD -i eth0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 192.168.4.101 -i eth2 -o eth0 -p tcp -m tcp --sport 1024:65535 --dpo rt 21 -m state --state NEW -j ACCEPT -A OUTPUT -d 88.88.88.1 -j LOG --log-prefix "OUT:" -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.4.1 -j ACCEPT -A OUTPUT -s 77.77.77.4 -j ACCEPT COMMIT # Completed on Wed Mar 1 15:21:42 2006 # Generated by iptables-save v1.2.11 on Wed Mar 1 15:21:42 2006 *nat :PREROUTING ACCEPT [3575:986022] :POSTROUTING ACCEPT [229:17699] :OUTPUT ACCEPT [42:7467] -A PREROUTING -s 88.88.88.1 -m state --state ESTABLISHED -j LOG --log-prefix "DNEST:" -A PREROUTING -d 88.88.88.1 -m state --state RELATED -j LOG --log-prefix "DNR EL:" -A PREROUTING -s 88.88.88.1 -m state --state RELATED -j LOG --log-prefix "DNR EL:" -A PREROUTING -d 88.88.88.1 -m state --state ESTABLISHED -j LOG --log-prefix "DNEST:" -A PREROUTING -s 88.88.88.1 -m state --state NEW -j LOG --log-prefix "DNNEW:" -A PREROUTING -d 88.88.88.1 -m state --state NEW -j LOG --log-prefix "DNNEW:" -A PREROUTING -d 77.77.77.4 -i eth2 -p tcp -m tcp --sport 1024:65535 --dport 21 -j DNAT --to-destination 192.168.4.101:21 -A PREROUTING -s 88.88.88.1 -j LOG --log-prefix "DNFAIL:" -A POSTROUTING -o eth2 -j SNAT --to-source 77.77.77.4 COMMIT # Completed on Wed Mar 1 15:21:42 2006 # Generated by iptables-save v1.2.11 on Wed Mar 1 15:21:42 2006 *mangle :PREROUTING ACCEPT [58120:48534001] :INPUT ACCEPT [3805:423984] :FORWARD ACCEPT [51890:47349762] :OUTPUT ACCEPT [1662:246025] :POSTROUTING ACCEPT [53552:47595787] COMMIT Richard Simon Giant Killer Robots 361 Brannan St. San Francisco, CA 94107 (415) 777-2477
