Re: Passive FTP sees remote's _internal_ IP!!??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Maxime Ducharme a écrit :

This happens when the remote server has a bad
NAT configuration for FTP.


I fully agree, the problem seems to be on the server side.


Maybe SonicWALL is able to "fix" this itself, I dont
know this product very well.


If it does so, I'd be happy to know how.


some suggestions :

1. Fix NAT for FTP on remote firewall

2. Configure remote server to explicitly send
external IP for passive connections (most of FTP
software allows to configure this)

3. Configure your FTP client to use active mode.
If server is running on another port than 21,
you must tell ip_nat_ftp to "listen" for FTP
traffic on this port. Someone on this list can
tell us how ? (I dont remember how)


$ modprobe ip_conntrack_ftp ports=21,alternate_port
$ modprobe ip_nat_ftp ports=21,alternate_port
Both commands are needed because AFAIK, ip_nat_ftp loads automatically ip_conntrack_ftp if not already loaded but does not pass the port list to it. Duh.
3b. Use extended passive mode (EPSV) if the client, the remote server and their firewall/NATs support it, because an EPSV reply does not contains the server address. 

[Read on]

-----Message d'origine-----
De : netfilter-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] De la part de gypsy
Envoyé : 27 novembre, 2006 10:33
À : netfilter@xxxxxxxxxxxxxxxxxxx
Objet : Passive FTP sees remote's _internal_ IP!!??

We don't think this is a netfilter problem.


I agree, at least not on the client side.


The kernel should tell the
remote end that it can't use the "nonroutable" IP - shouldn't it?
No, the kernel is not supposed to do this. All the Netfilter FTP NAT helper module can do is translate "internal" addresses. However the wrong PASV reply comes from the outside. 


When the default GW is set to the linux box (192.168.223.254) and
passive FTP to a remote server is initiated, the FTP fails after
connection because the internal IP of the remote machine (192.168.1.11)
is seen rather than its external IP.  This problem occurs only when
passive FTP is used.


Does this happen with any FTP server or only a specific one ?
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux