From: "Rodre Ghorashi-Zadeh" <rodrico7@hotmail.com>
To: netfilter@lists.netfilter.org
Subject: ip_nat_ftp module and freeswan IPSEC module don't work together?
Date: Fri, 23 Jan 2004 02:41:46 +0000 [thread overview]
Message-ID: <BAY10-F42llTdrrcwv1000519cf@hotmail.com> (raw)
Hello,
I am having a really weird problem with the ip_nat_ftp module and the [Free
S/WAN] ipsec module. When I have the ipsec module loaded (with or without
any tunnels configured) the FTP Data connections to any active type FTP
servers get screwed up. What happens is that I am able to connect and login
to the server, I am able to do an 'ls' or 'get' operation once. On
subsiquent operations that require the use of the data channel the system
hangs. I used tcpdump on the firewall to see what 'PORT' commands where
being sent to the server. This is where I noticed that the first 'PORT'
command was getting it's IP address rewritten from the clients internal
address to the clients external address, thus the ip_nat_ftp module works as
expected. However, on subsiquent 'PORT' commands, from within the same FTP
session, the IP address in the 'PORT' command is my client machines internal
IP address, so the remote server freaks out and drops (TCP RESET) the
connection. If I stop the IPSEC service (unload ipsec.o module) the 'PORT'
commands internal IP address gets rewritten to the clients external IP
adddress each and every time I do a 'get' or 'ls' operation.
Now the really wierd part. When I have the IPSEC module loaded and a tunnel
configured, and I use FTP to access an FTP server that resides on the other
end of the tunnel the ip_nat_ftp module is able to rewrite the 'PORT'
commands IP address each and every time, hence the active FTP works like a
charm through the tunnel. Weird Huh?
I am using kernel 2.4.20, iptables 1.2.8, patch-o-matic 20030107, and Free
S/WAN 2.01.
Any help regarding this matter would be greatly appreciated. Thanks in
advance.
®odre
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
next reply other threads:[~2004-01-23 2:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-23 2:41 Rodre Ghorashi-Zadeh [this message]
2004-01-27 1:41 ` ip_nat_ftp module and freeswan IPSEC module don't work together? Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BAY10-F42llTdrrcwv1000519cf@hotmail.com \
--to=rodrico7@hotmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.