All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jukka Laaksola <jukka.laaksola@netland.fi>
To: netfilter@lists.netfilter.org
Subject: ip_nat_ftp and TCP retransmission
Date: Thu, 21 Sep 2006 10:04:27 +0300	[thread overview]
Message-ID: <4512397B.8090409@netland.fi> (raw)

Hi!

We have problems with ftp client behind NAT. Our firewall is Debian 
sarge with iptables version 1.2.11-10. ip_nat_ftp module seems to work 
usually perfect but sometimes active ftp fails.

In our case there are many PORT-commands in FTP session and those PORT 
commands ip and host parameters are changed correctly by ip_nat_ftp 
module. But occasionally the ftp client behind the NAT does not get 
enough soon response to PORT port command from public ftp server. Then 
the client does retransmission on PORT command. ip_nat_ftp does not 
change the server ip and port of those retransmissed PORT commands.

Something like that:
----8<----
220 OPNET FTP server OK
USER anonymous
200 Command OK.
PORT x,y,z,162,19,201
200 PORT command successful.
STOR ASIAKAS
150 Opening data connection.
226 Transfer complete.
200 PORT command successful.
RETR AINEISTO
150 Opening data connection.
226 Transfer complete.
PORT x,y,z,162,20,86
200 PORT command successful.
STOR PALVELU
150 Opening data connection.
226 Transfer complete.
PORT x,y,z,162,20,87
200 PORT command successful.
RETR AINEISTO
150 Opening data connection.
226 Transfer complete.
PORT x,y,x,162,20,88
PORT 192,168,1,59,20,88
----8<----


The x,y,z,162 is our public IP and the 192.168.1.59 is IP of the FTP 
client. The ftp client is bank software client and there comes 
communication failure at those retransmission. The ftp server closes the 
connection after retransmission because of the PORT command with private IP.

Is there anything we can try to correct the problem?

Thanks

-- 
Jukka Laaksola
Netland Oy


                 reply	other threads:[~2006-09-21  7:04 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4512397B.8090409@netland.fi \
    --to=jukka.laaksola@netland.fi \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.