Hello, Pokotilenko Kostik a écrit :
I have proftpd-server with virtual hosts running on 21 and 3421 ports. Both are masquerading to the public IP of a gateway/nat. Gateway/nat running: ip_conntrack_ftp ports=21,3421 ip_nat_ftp ports=21,3421 Using a client behind the SNAT I can connect to 21 and get directory listing in passive mode, can connect to 3421 but CAN'T get directory listing in passive mode. Seems like ip_conntrack_ftp/ip_nat_ftp doesn't spy 3421 port. What can be wrong? How to debug? Directory listing on 21 goes well: ftp> pass Passive mode on. ftp> ls 227 Entering Passive Mode (xxx,xxx,xxx,xxx,236,99). 150 Opening ASCII mode data connection for file list [directory listings] 226 Transfer complete. ftp> When trying to get directory listing on 3421 I get: ftp> pas Passive mode on. ftp> ls 227 Entering Passive Mode (xxx,xxx,xxx,xxx,157,8). ftp: connect: Connection refused ftp> where xxx,xxx,xxx,xxx: public IP of gateway/nat of a FTP server.
AFAIK, the public address in the reply to the PASV command means that ip_conntrack_ftp and ip_nat_ftp monitors the control connection on port 3421 too, unless the server itself advertised the public address. Could it be the client-side SNAT which rejects the data connection ?
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
