William Lima wrote: > > Dear, > > Load modules: > > modprobe ip_nat_ftp > > Abs, Nope: #!/bin/bash modprobe ip_nat_ftp iptables -P FORWARD ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -t nat -A POSTROUTING -o eth1 -s 192.168.223.0/24 -j SNAT --to 68.171.136.91 iptables -A FORWARD -j LOG Module Size Used by Not tainted ipt_LOG 3448 1 (autoclean) iptable_filter 1772 1 (autoclean) ip_conntrack_ftp 3728 1 (autoclean) ip_nat_ftp 2640 0 (unused) iptable_nat 17542 2 [ip_nat_ftp] iptable_mangle 2168 0 (autoclean) (unused) ip_tables 11840 6 [ipt_LOG iptable_filter iptable_nat iptable_mangle] Nov 26 17:20:35 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4 DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=61924 DF PROTO=TCP SPT=2105 DPT=2336 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 26 17:20:36 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4 DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=61951 DF PROTO=TCP SPT=2106 DPT=2337 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 26 17:20:39 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4 DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=61957 DF PROTO=TCP SPT=2106 DPT=2337 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 26 17:20:45 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4 DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=61958 DF PROTO=TCP SPT=2106 DPT=2337 WINDOW=60352 RES=0x00 SYN URGP=0 We don't think this is a netfilter problem. The kernel should tell the remote end that it can't use the "nonroutable" IP - shouldn't it? -- gypsy > 2006/11/26, gypsy <gypsy@xxxxxxxxxx>: > > In our network, we have 2 gateways. The main GW is a Slackware 10.0 box > > and the other is a SonicWALL firewall appliance. Each connects to a > > different external IP but both are in the same /29 network. > > > > Note: No machine in our LAN has an IP of 192.168.1.11. > > > > When the default GW is set to the linux box (192.168.223.254) and > > passive FTP to a remote server is initiated, the FTP fails after > > connection because the internal IP of the remote machine (192.168.1.11) > > is seen rather than its external IP. This problem occurs only when > > passive FTP is used. > > > > We do not believe that the OS or FTP daemon of the remote host matters > > because when the default GW is set to the SonicWALL (192.168.223.1), the > > passive FTP succeeds. > > > > Therefore, we conclude that there is something wrong with our linux box. > > > > But WHAT? > > > > Note that the connection has already occurred when port negotation is > > attempted - which is when the FTP fails. > > > > If anyone has advice, we will sincerely appreciate it. > > > > The kernel is 2.4.32. > > > > #!/bin/bash > > iptables -P FORWARD ACCEPT > > iptables -P INPUT DROP > > iptables -P OUTPUT DROP > > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.223.0/24 -j SNAT --to > > 68.171.136.91 > > iptables -A FORWARD -j LOG > > > > Nov 26 00:32:10 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4 > > DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56473 DF PROTO=TCP > > SPT=1069 DPT=1090 WINDOW=60352 RES=0x00 SYN URGP=0 > > Nov 26 00:32:10 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4 > > DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56500 DF PROTO=TCP > > SPT=1070 DPT=1091 WINDOW=60352 RES=0x00 SYN URGP=0 > > Nov 26 00:32:14 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4 > > DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56506 DF PROTO=TCP > > SPT=1070 DPT=1091 WINDOW=60352 RES=0x00 SYN URGP=0 > > Nov 26 00:32:20 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4 > > DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56507 DF PROTO=TCP > > SPT=1070 DPT=1091 WINDOW=60352 RES=0x00 SYN URGP=0 > > -- > > gypsy > > > > > > -- > William R. Lima > wrochalima@xxxxxxxxxxxxxx
