From: Filip Sneppe <filip.sneppe@gmail.com>
To: Mario Ohnewald <mario.ohnewald@gmx.de>
Cc: netfilter@lists.netfilter.org
Subject: Re: ftp contrack
Date: Tue, 25 Jan 2005 16:25:49 +0100 [thread overview]
Message-ID: <9151ac2a050125072524c0def8@mail.gmail.com> (raw)
In-Reply-To: <1106648450.7431.6.camel@linux.site>
On Tue, 25 Jan 2005 11:20:50 +0100, Mario Ohnewald
<mario.ohnewald@gmx.de> wrote:
> On Tue, 2005-01-25 at 14:43, Filip Sneppe wrote:
> > On Tue, 25 Jan 2005 10:50:26 +0100, Mario Ohnewald
> > <mario.ohnewald@gmx.de> wrote:
>
> The weird thing is that it works ONLY with the first ftp connection.
> If i try to upload something a 2nd time, the packges wont get forwarded
By first/subsequent connections, do you mean an ftp login, or a second
ftp GET command etc over the same master connection.
Are you able to download multiple files from within one login session ?
> anymore. I can see the following packages with tcpdump:
> (- 123.123.123.123 is the client
> - 222.222.222.222 is the FW)
>
> 15:02:45.999772 IP 123.123.123.123.42823 > 222.222.222.222.2121: SWE
> 1965111453:1965111453(0) win 5840 <mss 1460,sackOK,timestamp 313275888
> 0,nop,wscale 0>
...
>
> as you can see, its not even forwarding.
> /proc/sys/net/ipv4/ip_forward is turned on.
>
And on the other NIC (that goes to the ftp server on port 21), what
are you sniffing
there ?
I see that the packets that are coming in have ECN enabled. I assume that this
isn't causing any problems ?
What does cat /proc/net/ip_conntrack show (relevant to your problem) ?
What kernel are you running ? Have you been able to test this
with a specific kernel version that is not giving you any problems ?
Can you sniff on both NICs with tcpdump with the -s 1500 option, write it
to a file (-w file) and look at this file with ethereal (or tcpdump -X). Can you
see the data ports getting rewritten by ip_nat_ftp ?
If not, and your rulebase is ok, I guess you'll have to provide your
kernel version
so people can start looking into this ...
The firewall rules you gave in your first mail, are they the only ones active ?
Regards,
Filip
next prev parent reply other threads:[~2005-01-25 15:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-23 23:57 ftp contrack Mario Ohnewald
2005-01-25 12:15 ` Filip Sneppe
2005-01-25 12:53 ` Jose Maria Lopez
2005-01-25 9:50 ` Mario Ohnewald
2005-01-25 13:43 ` Filip Sneppe
2005-01-25 10:20 ` Mario Ohnewald
2005-01-25 15:25 ` Filip Sneppe [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-01-25 20:04 Piszcz, Justin Michael
2005-01-26 13:29 ` Jose Maria Lopez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9151ac2a050125072524c0def8@mail.gmail.com \
--to=filip.sneppe@gmail.com \
--cc=mario.ohnewald@gmx.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.