Re: FTP-server on non-standard port behind DNAT, client behind SNAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Pokotilenko Kostik a écrit :
I have proftpd-server with virtual hosts running on 21 and 3421 ports.
Both are masquerading to the public IP of a gateway/nat.

Gateway/nat running:
ip_conntrack_ftp ports=21,3421
ip_nat_ftp ports=21,3421

Using a client behind the SNAT I can connect to 21 and get directory
listing in passive mode, can connect to 3421 but CAN'T get directory
listing in passive mode.

Seems like ip_conntrack_ftp/ip_nat_ftp doesn't spy 3421 port. What can
be wrong? How to debug?

Directory listing on 21 goes well:

ftp> pass
Passive mode on.
ftp> ls
227 Entering Passive Mode (xxx,xxx,xxx,xxx,236,99).
150 Opening ASCII mode data connection for file list
[directory listings]
226 Transfer complete.
ftp>

When trying to get directory listing on 3421 I get:

ftp> pas
Passive mode on.
ftp> ls
227 Entering Passive Mode (xxx,xxx,xxx,xxx,157,8).
ftp: connect: Connection refused
ftp>

where xxx,xxx,xxx,xxx: public IP of gateway/nat of a FTP server.

AFAIK, the public address in the reply to the PASV command means that ip_conntrack_ftp and ip_nat_ftp monitors the control connection on port 3421 too, unless the server itself advertised the public address. Could it be the client-side SNAT which rejects the data connection ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux