ftp contrack

ftp contrack

[Mario Ohnewald]

Hello List!

I am trying to redirect (NAT) to a internal ftp box (but both have a public
ip).
I am using those rules:

modprobe ip_conntrack_ftp ports=21,2121
modprobe ip_nat_ftp
iptables -t nat -A PREROUTING -d $FW -p tcp --dport 2121 -j DNAT --to
$FTP:21
iptables -A POSTROUTING -t nat -d $FTP -p tcp --dport 21 -j SNAT --to
$FW:2121


They kind of worked for a while. The forwarding of port 21 to 2121 worked
one out of 10 times maybe.

Now the packets dont get forwarded at all anymore.
/proc/sys/net/ipv4/ip_forward is set to 1.

Default policy is set to ACCEPT when i am testing it.
With tcpdump i see the packets coming in, but they don`t get forwarded.


Any idea what i am doing wrong?


Cheers, Mario

-- 
Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl

Re: ftp contrack

[Filip Sneppe]

On Mon, 24 Jan 2005 00:57:14 +0100 (MET), Mario Ohnewald
<mario.Ohnewald@gmx.de> wrote:
> Hello List!
> 
> I am trying to redirect (NAT) to a internal ftp box (but both have a public
> ip).
> I am using those rules:
> 
> modprobe ip_conntrack_ftp ports=21,2121
> modprobe ip_nat_ftp

Hi Mario, 

Add "ports=21,2121" to the "modprobe ip_nat_ftp" command.
That should do the trick.

modprobe ip_nat_ftp ports=21,2121

Regards,
Filip

Re: ftp contrack

[Jose Maria Lopez]

El mar, 25 de 01 de 2005 a las 13:15, Filip Sneppe escribió:
> On Mon, 24 Jan 2005 00:57:14 +0100 (MET), Mario Ohnewald
> <mario.Ohnewald@gmx.de> wrote:
> > Hello List!
> > 
> > I am trying to redirect (NAT) to a internal ftp box (but both have a public
> > ip).
> > I am using those rules:
> > 
> > modprobe ip_conntrack_ftp ports=21,2121
> > modprobe ip_nat_ftp
> 
> Hi Mario, 
> 
> Add "ports=21,2121" to the "modprobe ip_nat_ftp" command.
> That should do the trick.
> 
> modprobe ip_nat_ftp ports=21,2121
> 
> Regards,
> Filip

Maybe it's a stupid question, but...
Why are you using port 2121 for ftp?
I couldn't find any information on it being used.

Regards.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: ftp contrack

[Mario Ohnewald]

On Tue, 2005-01-25 at 13:53, Jose Maria Lopez wrote:
> El mar, 25 de 01 de 2005 a las 13:15, Filip Sneppe escribió:
> > On Mon, 24 Jan 2005 00:57:14 +0100 (MET), Mario Ohnewald
> > <mario.Ohnewald@gmx.de> wrote:
> > > Hello List!
> > > 
> > > I am trying to redirect (NAT) to a internal ftp box (but both have a public
> > > ip).
> > > I am using those rules:
> > > 
> > > modprobe ip_conntrack_ftp ports=21,2121
> > > modprobe ip_nat_ftp
> > 
> > Hi Mario, 
> > 
> > Add "ports=21,2121" to the "modprobe ip_nat_ftp" command.
> > That should do the trick.
> > 
> > modprobe ip_nat_ftp ports=21,2121
> > 
> > Regards,
> > Filip
> 
> Maybe it's a stupid question, but...
> Why are you using port 2121 for ftp?
> I couldn't find any information on it being used.

Because i have a ftpd running on the firewall itself.

by the way.  
  modprobe ip_nat_ftp ports=21,2121
didnt work.


Cheers, Mario

Re: ftp contrack

[Filip Sneppe]

On Tue, 25 Jan 2005 10:50:26 +0100, Mario Ohnewald
<mario.ohnewald@gmx.de> wrote:
> 
> by the way.
>  modprobe ip_nat_ftp ports=21,2121
> didnt work.
> 
Did you rmmod the ip_nat_ftp module before reloading it ?

Regards,
Filip

Re: ftp contrack

[Mario Ohnewald]

On Tue, 2005-01-25 at 14:43, Filip Sneppe wrote:
> On Tue, 25 Jan 2005 10:50:26 +0100, Mario Ohnewald
> <mario.ohnewald@gmx.de> wrote:
> > 
> > by the way.
> >  modprobe ip_nat_ftp ports=21,2121
> > didnt work.
> > 
> Did you rmmod the ip_nat_ftp module before reloading it ?


Yes, i did.

The weird thing is that it works ONLY with the first ftp connection.
If i try to upload something a 2nd time, the packges wont get forwarded
anymore. I can see the following packages with tcpdump:
(- 123.123.123.123 is the client
 - 222.222.222.222 is the FW)


15:02:45.999772 IP 123.123.123.123.42823 > 222.222.222.222.2121: SWE
1965111453:1965111453(0) win 5840 <mss 1460,sackOK,timestamp 313275888
0,nop,wscale 0>
15:02:48.990185 IP 123.123.123.123.42823 > 222.222.222.222.2121: SWE
1965111453:1965111453(0) win 5840 <mss 1460,sackOK,timestamp 313276188
0,nop,wscale 0>
15:02:54.990145 IP 123.123.123.123.42823 > 222.222.222.222.2121: SWE
1965111453:1965111453(0) win 5840 <mss 1460,sackOK,timestamp 313276788
0,nop,wscale 0>
15:03:06.990205 IP 123.123.123.123.42823 > 222.222.222.222.2121: SWE
1965111453:1965111453(0) win 5840 <mss 1460,sackOK,timestamp 313277988
0,nop,wscale 0>

as you can see, its not even forwarding.
/proc/sys/net/ipv4/ip_forward is turned on.


Cheers, Mario

Re: ftp contrack

[Filip Sneppe]

On Tue, 25 Jan 2005 11:20:50 +0100, Mario Ohnewald
<mario.ohnewald@gmx.de> wrote:
> On Tue, 2005-01-25 at 14:43, Filip Sneppe wrote:
> > On Tue, 25 Jan 2005 10:50:26 +0100, Mario Ohnewald
> > <mario.ohnewald@gmx.de> wrote:
> 
> The weird thing is that it works ONLY with the first ftp connection.
> If i try to upload something a 2nd time, the packges wont get forwarded

By first/subsequent connections, do you mean an ftp login, or a second
ftp GET command etc over the same master connection.
Are you able to download multiple files from within one login session ?

> anymore. I can see the following packages with tcpdump:
> (- 123.123.123.123 is the client
> - 222.222.222.222 is the FW)
> 
> 15:02:45.999772 IP 123.123.123.123.42823 > 222.222.222.222.2121: SWE
> 1965111453:1965111453(0) win 5840 <mss 1460,sackOK,timestamp 313275888
> 0,nop,wscale 0>
...
> 
> as you can see, its not even forwarding.
> /proc/sys/net/ipv4/ip_forward is turned on.
> 
And on the other NIC (that goes to the ftp server on port 21), what
are you sniffing
there ?

I see that the packets that are coming in have ECN enabled. I assume that this
isn't causing any problems ?

What does cat /proc/net/ip_conntrack show (relevant to your problem) ?

What kernel are you running ? Have you been able to test this
with a specific kernel version that is not giving you any problems ?

Can you sniff on both NICs with tcpdump with the -s 1500 option, write it
to a file (-w file) and look at this file with ethereal (or tcpdump -X). Can you
see the data ports getting rewritten by ip_nat_ftp ?
If not, and your rulebase is ok, I guess you'll have to provide your
kernel version
so people can start looking into this ...

The firewall rules you gave in your first mail, are they the only ones active ?

Regards,
Filip

RE: ftp contrack

[Piszcz, Justin Michael]

2121 is used for frox ftp proxy

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jose Maria Lopez
Sent: Tuesday, January 25, 2005 7:53 AM
To: netfilter@lists.netfilter.org
Subject: Re: ftp contrack

El mar, 25 de 01 de 2005 a las 13:15, Filip Sneppe escribió:
> On Mon, 24 Jan 2005 00:57:14 +0100 (MET), Mario Ohnewald
> <mario.Ohnewald@gmx.de> wrote:
> > Hello List!
> > 
> > I am trying to redirect (NAT) to a internal ftp box (but both have a public
> > ip).
> > I am using those rules:
> > 
> > modprobe ip_conntrack_ftp ports=21,2121
> > modprobe ip_nat_ftp
> 
> Hi Mario, 
> 
> Add "ports=21,2121" to the "modprobe ip_nat_ftp" command.
> That should do the trick.
> 
> modprobe ip_nat_ftp ports=21,2121
> 
> Regards,
> Filip

Maybe it's a stupid question, but...
Why are you using port 2121 for ftp?
I couldn't find any information on it being used.

Regards.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

RE: ftp contrack

[Jose Maria Lopez]

El mar, 25 de 01 de 2005 a las 21:04, Piszcz, Justin Michael escribió:
> 2121 is used for frox ftp proxy

Thanks, it didn't appeared on any services file I had,
not even in the neo one, that use to be the most complete.

Regards.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"