From: gypsy <gypsy@iswest.com>
To: netfilter@lists.netfilter.org
Subject: Passive FTP sees remote's _internal_ IP!!??
Date: Mon, 27 Nov 2006 07:32:57 -0800 [thread overview]
Message-ID: <456B0529.BFBFE757@iswest.com> (raw)
William Lima wrote:
>
> Dear,
>
> Load modules:
>
> modprobe ip_nat_ftp
>
> Abs,
Nope:
#!/bin/bash
modprobe ip_nat_ftp
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.223.0/24 -j SNAT --to
68.171.136.91
iptables -A FORWARD -j LOG
Module Size Used by Not tainted
ipt_LOG 3448 1 (autoclean)
iptable_filter 1772 1 (autoclean)
ip_conntrack_ftp 3728 1 (autoclean)
ip_nat_ftp 2640 0 (unused)
iptable_nat 17542 2 [ip_nat_ftp]
iptable_mangle 2168 0 (autoclean) (unused)
ip_tables 11840 6 [ipt_LOG iptable_filter iptable_nat
iptable_mangle]
Nov 26 17:20:35 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=61924 DF PROTO=TCP
SPT=2105 DPT=2336 WINDOW=60352 RES=0x00 SYN URGP=0
Nov 26 17:20:36 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=61951 DF PROTO=TCP
SPT=2106 DPT=2337 WINDOW=60352 RES=0x00 SYN URGP=0
Nov 26 17:20:39 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=61957 DF PROTO=TCP
SPT=2106 DPT=2337 WINDOW=60352 RES=0x00 SYN URGP=0
Nov 26 17:20:45 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=61958 DF PROTO=TCP
SPT=2106 DPT=2337 WINDOW=60352 RES=0x00 SYN URGP=0
We don't think this is a netfilter problem. The kernel should tell the
remote end that it can't use the "nonroutable" IP - shouldn't it?
--
gypsy
> 2006/11/26, gypsy <gypsy@iswest.com>:
> > In our network, we have 2 gateways. The main GW is a Slackware 10.0 box
> > and the other is a SonicWALL firewall appliance. Each connects to a
> > different external IP but both are in the same /29 network.
> >
> > Note: No machine in our LAN has an IP of 192.168.1.11.
> >
> > When the default GW is set to the linux box (192.168.223.254) and
> > passive FTP to a remote server is initiated, the FTP fails after
> > connection because the internal IP of the remote machine (192.168.1.11)
> > is seen rather than its external IP. This problem occurs only when
> > passive FTP is used.
> >
> > We do not believe that the OS or FTP daemon of the remote host matters
> > because when the default GW is set to the SonicWALL (192.168.223.1), the
> > passive FTP succeeds.
> >
> > Therefore, we conclude that there is something wrong with our linux box.
> >
> > But WHAT?
> >
> > Note that the connection has already occurred when port negotation is
> > attempted - which is when the FTP fails.
> >
> > If anyone has advice, we will sincerely appreciate it.
> >
> > The kernel is 2.4.32.
> >
> > #!/bin/bash
> > iptables -P FORWARD ACCEPT
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.223.0/24 -j SNAT --to
> > 68.171.136.91
> > iptables -A FORWARD -j LOG
> >
> > Nov 26 00:32:10 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
> > DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56473 DF PROTO=TCP
> > SPT=1069 DPT=1090 WINDOW=60352 RES=0x00 SYN URGP=0
> > Nov 26 00:32:10 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
> > DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56500 DF PROTO=TCP
> > SPT=1070 DPT=1091 WINDOW=60352 RES=0x00 SYN URGP=0
> > Nov 26 00:32:14 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
> > DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56506 DF PROTO=TCP
> > SPT=1070 DPT=1091 WINDOW=60352 RES=0x00 SYN URGP=0
> > Nov 26 00:32:20 GWbox kernel: IN=eth0 OUT=eth1 SRC=192.168.223.4
> > DST=192.168.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56507 DF PROTO=TCP
> > SPT=1070 DPT=1091 WINDOW=60352 RES=0x00 SYN URGP=0
> > --
> > gypsy
> >
> >
>
> --
> William R. Lima
> wrochalima@linuxit.com.br
next reply other threads:[~2006-11-27 15:32 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-27 15:32 gypsy [this message]
2006-11-27 15:37 ` Passive FTP sees remote's _internal_ IP!!?? David Sims
2006-11-27 18:39 ` Maxime Ducharme
[not found] <20061127184454.0BD73DB@brinstar.nerim.net>
2006-11-27 21:26 ` Pascal Hambourg
2006-11-28 4:46 ` gypsy
2006-11-28 18:09 ` Maxime Ducharme
2006-11-28 22:36 ` Pascal Hambourg
2006-11-28 9:14 ` gypsy
-- strict thread matches above, loose matches on Subject: below --
2006-11-26 9:01 gypsy
2006-11-26 20:18 ` William Lima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=456B0529.BFBFE757@iswest.com \
--to=gypsy@iswest.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox