From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: FTP-server on non-standard port behind DNAT, client behind SNAT
Date: Wed, 12 Nov 2008 12:03:25 +0100 [thread overview]
Message-ID: <491AB7FD.30102@plouf.fr.eu.org> (raw)
In-Reply-To: <1226480946.6370.1.camel@casper.meteor.dp.ua>
Pokotilenko Kostik a écrit :
>
> You are extremely right :) That was the case, removing MasqueradeAddress
> made it work!
Glad it helped. However I wonder why it was working on port 21 and not
on port 3421.
> I was unable to find the information on how does conntrack_ftp/nat_ftp
> work, otherwise I would found out the right way.
The source code is available. (just kidding)
The Netfilter conntrack/NAT helper is smart enough and does all the
dirty job transparently so neither the client or server should bother
about NAT issues. It monitors the control connection, translates the
address and port information in it, translates and marks the data
connections as RELATED, in both active and passive modes. All this
assumes that the control connection is cleartext, not encrypted with
SSL/TLS.
Note that if you want to use active mode on the non standard port from
the masqueraded client, the SNAT device must be aware that this ports is
used for FTP control connections. Most NAT devices handle FTP only on
port 21.
Only when the NAT device is "dumb" (not FTP-aware) or encryption is used
the masqueraded end must advertise the public address, reserve a port
range for data connections and have this port range explicitly DNATed to
its private address by the NAT device.
prev parent reply other threads:[~2008-11-12 11:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-11 12:16 FTP-server on non-standard port behind DNAT, client behind SNAT Покотиленко Костик
2008-11-11 15:16 ` Pascal Hambourg
2008-11-11 15:54 ` Покотиленко Костик
2008-11-11 19:15 ` Pascal Hambourg
2008-11-12 9:09 ` Покотиленко Костик
2008-11-12 11:03 ` Pascal Hambourg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=491AB7FD.30102@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox