Pokotilenko Kostik a écrit :
You are extremely right :) That was the case, removing MasqueradeAddress
made it work!
Glad it helped. However I wonder why it was working on port 21 and not
on port 3421.
I was unable to find the information on how does conntrack_ftp/nat_ftp
work, otherwise I would found out the right way.
The source code is available. (just kidding)
The Netfilter conntrack/NAT helper is smart enough and does all the
dirty job transparently so neither the client or server should bother
about NAT issues. It monitors the control connection, translates the
address and port information in it, translates and marks the data
connections as RELATED, in both active and passive modes. All this
assumes that the control connection is cleartext, not encrypted with
SSL/TLS.
Note that if you want to use active mode on the non standard port from
the masqueraded client, the SNAT device must be aware that this ports is
used for FTP control connections. Most NAT devices handle FTP only on
port 21.
Only when the NAT device is "dumb" (not FTP-aware) or encryption is used
the masqueraded end must advertise the public address, reserve a port
range for data connections and have this port range explicitly DNATed to
its private address by the NAT device.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
