В Вто, 11/11/2008 в 16:16 +0100, Pascal Hambourg пишет: > Hello, > > Pokotilenko Kostik a écrit : > > I have proftpd-server with virtual hosts running on 21 and 3421 ports. > > Both are masquerading to the public IP of a gateway/nat. > > > > Gateway/nat running: > > ip_conntrack_ftp ports=21,3421 > > ip_nat_ftp ports=21,3421 > > > > Using a client behind the SNAT I can connect to 21 and get directory > > listing in passive mode, can connect to 3421 but CAN'T get directory > > listing in passive mode. > > > > Seems like ip_conntrack_ftp/ip_nat_ftp doesn't spy 3421 port. What can > > be wrong? How to debug? > > > > Directory listing on 21 goes well: > > > > ftp> pass > > Passive mode on. > > ftp> ls > > 227 Entering Passive Mode (xxx,xxx,xxx,xxx,236,99). > > 150 Opening ASCII mode data connection for file list > > [directory listings] > > 226 Transfer complete. > > ftp> > > > > When trying to get directory listing on 3421 I get: > > > > ftp> pas > > Passive mode on. > > ftp> ls > > 227 Entering Passive Mode (xxx,xxx,xxx,xxx,157,8). > > ftp: connect: Connection refused > > ftp> > > > > where xxx,xxx,xxx,xxx: public IP of gateway/nat of a FTP server. > > AFAIK, the public address in the reply to the PASV command means that > ip_conntrack_ftp and ip_nat_ftp monitors the control connection on port > 3421 too, unless the server itself advertised the public address. The server advertise the public address itself, it's proftpd with this option: <VirtualHost yyy.yyy.yyy.yyy> ... MasqueradeAddress xxx,xxx,xxx,xxx ... </VirtualHost> where yyy.yyy.yyy.yyy: privat IP. > Could > it be the client-side SNAT which rejects the data connection ? No, all outgoing connection are allowed. Moreover on port 21 data connection port is within same range, so this is not the case. -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
