Il giorno mer, 13/06/2018 alle 11.01 +0200, Mark Coetser ha scritto: > Probably something simple again, I am battling with outbound active ftp > connections from my firewall directly ie not routed > > I have the following in the raw table > > -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp > -A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp > > > when connecting with ftp > > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls > 200 PORT command successful > 425 Unable to build data connection: Connection refused > ftp> passive > Passive mode on. > ftp> ls > 450 LIST: Connection refused > Passive mode refused. > ftp> quit > > modules loaded > > nf_log_ipv4 16384 12 > nf_log_common 16384 1 nf_log_ipv4 > nf_reject_ipv4 16384 1 ipt_REJECT > nf_conntrack_pptp 16384 1 > nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp > nf_conntrack_ftp 20480 2 > nf_nat_masquerade_ipv4 16384 1 ipt_MASQUERADE > nf_conntrack_ipv4 16384 28 > nf_defrag_ipv4 16384 1 nf_conntrack_ipv4 > nf_nat_ipv4 16384 1 iptable_nat > nf_nat 28672 3 xt_nat,nf_nat_masquerade_ipv4,nf_nat_ipv4 > nf_conntrack 114688 9 > nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_proto_gr > e,xt_CT,nf_nat_masquerade_ipv4,xt_conntrack,nf_nat_ipv4,nf_nat > > do you have in input or forwar chain: -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
