Re: ftp and nat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

2009/5/27 Thomas Jacob <jacob@xxxxxxxxxxxxx>:
> On Wed, 2009-05-27 at 13:48 +0200, matthias wrote:
>> Hi all,
>>
>> i have a network like this:
>> client <-> router <-> server
>>
>> the router is linked via eth0 to the client-network and via tun0 to the server.
>> when i try to log from the client into the server via ftp I get a
>> delay of about 30 seconds.
>> does anyone tell me why, is it, that iptables doesn't support active ftp?
>>
>> here are tcpdump extracts taken by the router:
>>
>> root@router# tcpdump -i eth0
>> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>> 15:57:01.949614 IP client.43278 > router.ftp: S
>> 2612647763:2612647763(0) win 5840 <mss 1460,sackOK,timestamp 538163918
>> 0,nop,wscale 2>
>> 15:57:01.951314 IP router.ftp > client.43278: S
>> 3833629446:3833629446(0) ack 2612647764 win 5792 <sackOK,timestamp
>> 109271440 538163918,mss 1460,nop,wscale 2>
>> 15:57:01.951615 IP client.43278 > router.ftp: . ack 1 win 1460
>> <nop,nop,timestamp 538163921 109271440>
>
> 3 way handshake is complete here
>
>> 15:57:32.417873 IP router.ftp > client.43278: P 1:99(98) ack 1 win
>> 1448 <nop,nop,timestamp 109279056 538163921>
>
> And then your router does not send the FTP ready message for about
> 30s, at this point nothing FTP specific has yet taken place.
>
> Suggest you look into your "ident"-checks in the FTP server config
> and disable them.
>
> Once you get the FTP prompt right away, don't forget to load the FTP
> support modules for iptables/NAT:
>
>  modprobe nf_conntrack_ftp
>  modprobe nf_nat_ftp

Firstly I missed to caputer auth communication on eth0. After changing
the tcpdump call (tcpdump -i eth0 port ftp or port ftp-data or port
auth) I recongnized, that the auth-messages from the server are
delivered to the client without changing the corresponding ip adress,
so that the client received a auth-request with source-ip=server.
I think this happens due to the fact that iptables couldn't recognize
the answer of the server, because it uses a different port.

As a workaround I added the folowing rule to my iptables initalization script:
iptables -A FORWARD -i tun0 -o eth0 -p tcp --dport 113 -j REJECT -v

So that I get a ftp prompt right away. Seems as if the FTP server
doesn't have any config flag to disable ident-checks.

Thanks,
Matthias
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux