Re: Passive FTP sees remote's _internal_ IP!!??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear,

Load modules:

modprobe ip_nat_ftp

Abs,

2006/11/26, gypsy <gypsy@xxxxxxxxxx>:

In our network, we have 2 gateways.  The main GW is a Slackware 10.0 box
and the other is a SonicWALL firewall appliance.  Each connects to a
different external IP but both are in the same /29 network.

Note: No machine in our LAN has an IP of 192.168.1.11.

When the default GW is set to the linux box (192.168.223.254) and
passive FTP to a remote server is initiated, the FTP fails after
connection because the internal IP of the remote machine (192.168.1.11)
is seen rather than its external IP.  This problem occurs only when
passive FTP is used.

We do not believe that the OS or FTP daemon of the remote host matters
because when the default GW is set to the SonicWALL (192.168.223.1), the
passive FTP succeeds.

Therefore, we conclude that there is something wrong with our linux box.

But WHAT?

Note that the connection has already occurred when port negotation is
attempted - which is when the FTP fails.

If anyone has advice, we will sincerely appreciate it.

The kernel is 2.4.32.

#!/bin/bash
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.223.0/24 -j SNAT --to
68.171.136.91
iptables -A FORWARD -j LOG

Nov 26 00:32:10 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56473 DF PROTO=TCP
SPT=1069 DPT=1090 WINDOW=60352 RES=0x00 SYN URGP=0
Nov 26 00:32:10 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56500 DF PROTO=TCP
SPT=1070 DPT=1091 WINDOW=60352 RES=0x00 SYN URGP=0
Nov 26 00:32:14 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56506 DF PROTO=TCP
SPT=1070 DPT=1091 WINDOW=60352 RES=0x00 SYN URGP=0
Nov 26 00:32:20 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56507 DF PROTO=TCP
SPT=1070 DPT=1091 WINDOW=60352 RES=0x00 SYN URGP=0
--
gypsy





--
William R. Lima
wrochalima@xxxxxxxxxxxxxx
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux