Hi all, 2009/5/27 Thomas Jacob <jacob@xxxxxxxxxxxxx>: > On Wed, 2009-05-27 at 13:48 +0200, matthias wrote: >> Hi all, >> >> i have a network like this: >> client <-> router <-> server >> >> the router is linked via eth0 to the client-network and via tun0 to the server. >> when i try to log from the client into the server via ftp I get a >> delay of about 30 seconds. >> does anyone tell me why, is it, that iptables doesn't support active ftp? >> >> here are tcpdump extracts taken by the router: >> >> root@router# tcpdump -i eth0 >> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes >> 15:57:01.949614 IP client.43278 > router.ftp: S >> 2612647763:2612647763(0) win 5840 <mss 1460,sackOK,timestamp 538163918 >> 0,nop,wscale 2> >> 15:57:01.951314 IP router.ftp > client.43278: S >> 3833629446:3833629446(0) ack 2612647764 win 5792 <sackOK,timestamp >> 109271440 538163918,mss 1460,nop,wscale 2> >> 15:57:01.951615 IP client.43278 > router.ftp: . ack 1 win 1460 >> <nop,nop,timestamp 538163921 109271440> > > 3 way handshake is complete here > >> 15:57:32.417873 IP router.ftp > client.43278: P 1:99(98) ack 1 win >> 1448 <nop,nop,timestamp 109279056 538163921> > > And then your router does not send the FTP ready message for about > 30s, at this point nothing FTP specific has yet taken place. > > Suggest you look into your "ident"-checks in the FTP server config > and disable them. > > Once you get the FTP prompt right away, don't forget to load the FTP > support modules for iptables/NAT: > > modprobe nf_conntrack_ftp > modprobe nf_nat_ftp Firstly I missed to caputer auth communication on eth0. After changing the tcpdump call (tcpdump -i eth0 port ftp or port ftp-data or port auth) I recongnized, that the auth-messages from the server are delivered to the client without changing the corresponding ip adress, so that the client received a auth-request with source-ip=server. I think this happens due to the fact that iptables couldn't recognize the answer of the server, because it uses a different port. As a workaround I added the folowing rule to my iptables initalization script: iptables -A FORWARD -i tun0 -o eth0 -p tcp --dport 113 -j REJECT -v So that I get a ftp prompt right away. Seems as if the FTP server doesn't have any config flag to disable ident-checks. Thanks, Matthias -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html