Interesting problem with conntrack and ftp
alex at samad.com.au
Fri Mar 17 00:55:11 CET 2006
I was resently setting up my new firewall usimng openwrt on a linksys.
I got around to setting up my adsl connection and added into my iptables
$IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A FORWARD -o $WANADSL -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPT -t nat -A POSTROUTING -o $WANADSL -j MASQUERADE
which is what I have normally done.
http traffic worked well, but ftp of large files, timed out, sign of a
mtu problem. It worked when I ftp'ed from the firewall, but not when I
did it from behind the firewall.
When I did some tcpdumps, I noticed that the second connection created
by the client wasn't being clamp'ed.
The way I figure it was that the second connection was related to the
first one, and thus being consumed by the first line in iptables (above)
Once I changed the order of line 1 and 2 every thing worked fine.
Now openwrt uses 2.4.30, and my previous firewall used 2.6 and I believe
it was setup as shown above and it worked fine.
The other difference is that conntrack_ftp is compiled into the kernel.
Is this a know feature/bug ? why has it worked in 2.6 and not in 2.4 or
is the problem in compiled in and as a module
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter-devel/attachments/20060317/622b0222/attachment.pgp
More information about the netfilter-devel