From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Rob Sterenborg (lists)" <lists@sterenborg.info>
Subject: Re: nat ftp helper bypass
Date: Tue, 08 Oct 2013 15:43:24 +0200
Message-ID: <52540BFC.10109@sterenborg.info>
References: <CAEyr1FSRd7d2_kcPEY7DP4JfAdDaYj5TogeVj+90LrVVxqP-6w@mail.gmail.com> <5253B5E4.1050103@sterenborg.info> <CAEyr1FQEDmcb_Gr_7BV0oXN4=Un0+jPJg8rxkoTOG-vE1p3sDQ@mail.gmail.com>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-owner@vger.kernel.org>
In-Reply-To: <CAEyr1FQEDmcb_Gr_7BV0oXN4=Un0+jPJg8rxkoTOG-vE1p3sDQ@mail.gmail.com>
Sender: netfilter-owner@vger.kernel.org
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
To: Anand Raj Manickam <anandrm@gmail.com>
Cc: netfilter@vger.kernel.org

On 10/08/2013 09:42 AM, Anand Raj Manickam wrote:
> On Tue, Oct 8, 2013 at 1:06 PM, Rob Sterenborg (lists)
> <lists@sterenborg.info> wrote:
>> On 10/08/2013 07:46 AM, Anand Raj Manickam wrote:
>>>
>>> Is there a way to bypass nat ftp helper for a few connections and
>>> allow the rest of the FTP connections to NAT with the FTP helper
>>> module ?
>>> The need is to NAT the FTP control and data connections without
>>> conntrack-helpers .
>>
>>
>> See man iptables, specifically the raw table:
>>
>> raw:
>>      This  table  is  used  mainly for configuring exemptions from connection
>> tracking in combination with the NOTRACK target.  It registers at the
>> netfilter hooks with higher priority and is thus called before ip_conntrack,
>> or any other IP tables.  It provides the following built-in chains:
>> PREROUTING (for packets arriving via any network interface) OUTPUT (for
>> packets generated by local processes)
>>
>>
>> --
>> Rob
>>
> Thanks for your response Rob.
>
> The setup is a router and I m tryin to SNAT so the choice i have is on
> FORWARD / POSTROUTING chain.
> I need connection tracking as i need to NAT the traffic without the
> nat ftp helper module .

Look at these pages:
http://doc.powerdns.com/html/recursor-performance.html
http://www.stearns.org/pomlist/20030101-output/pom-userspace.html#raw

I've never had to use the raw table nor the NOTRACK target so my info is 
likely hardly authoritative. But, I guess it would work something like this:

$ipt -t raw -A PREROUTING -d <ip_ftp_server> -p tcp -m multiport \
--dports 20,21 -j NOTRACK
$ipt -t raw -A PREROUTING -s <ip_ftp_server> -p tcp -m multiport \
--dports 20,21 -j NOTRACK

If I understand things correctly, this should make connections to/from 
the specified FTP server untracked.
After that, you'd need static NAT rules to forward packets to and from 
the FTP server. I don't know if Netfilter does NAT without connection 
tracking. If not, then maybe iproute2 can help you there:
http://linux-ip.net/html/nat-stateless.html


--
Rob