Hi,
While testing my iptables ruleset on a Fedora 36, I've encountered an
unexpected behaviour regarding FTP connection forwarding.
I've reduced the ruleset to look like below.
I've tried to "modprobe nf_conntrack_ftp" alone, but external clients
still won't get data connections.
Then I "modprobe nf_nat_ftp". It loads normally but after the first
attempt to establish an FTP connection, the system freezes and sometimes
prints the following message:
Message from syslogd@fw1-test at Sep 20 09:33:28 ...
kernel:watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [swapper/1:0]
This problem happens on the newest Fedora 36 stock kernel as of
20/09/2022, version 5.19.9-200.fc36.x86_64 (and at least on the previous
5.19.8-200.fc36.x86_64), but (apparently) works normally on version
5.17.5-300.fc36.x86_64, which was the default kernel from ISO install.
Is it a bug, maybe?
Just wanted to report this, maybe someone on this list can do something
about it.
### My eclipsed ruleset in which this problem happens
# eth0: LAN
# eth1: Public
# 192.168.22.5: internal FTP server
iptables -P INPUT DROP
iptables -P FORWARD DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
modprobe nf_conntrack_ftp
modprobe nf_nat_ftp
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.22.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.22.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.22.5 -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT
--to-destination 192.168.22.5
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
