FTP and IPSEC

Jeff Rasmussen jeff.rasmussen at gmail.com
Thu Jul 7 20:18:32 CEST 2005


Gary W. Smith <gary <at> primeexalia.com> writes:

> 
> Any ideas?
> 
> ________________________________
> 
> From: netfilter-bounces <at> lists.netfilter.org on behalf of Gary W. Smith
> Sent: Tue 6/28/2005 10:06 AM
> To: netfilter <at> lists.netfilter.org
> Subject: FTP and IPSEC
> 
> This is a follow up to a former problem, but unreleated.
> 
> I have two networks conencted via IPSEC.  On each side of the network I have
client servers that have
> SNAT/DNAT to the internet.  Everything seems to work well under ISPEC except
ftp.  Here is what I found.
> 
> >From location A, a workstation without a static external IP address on the
10.0.10.x can FTP anywhere on
> the net without problems but CANNOT ftp to a machine at location B using it's
internal 10.0.50.x IP.  This
> same workstation CAN ftp without restriction to it's external alias for the
same machine at location B
> using it's external IP 199.199.199.x
> 
> If I remove ip_nat_ftp and ip_conntrack_ftp it seems to work fine.  But the
problem is now that we cannot ftp
> externally from that location.  Both locations have ip_nat_ftp loaded but it
doesn't seem to matter.
> 
> When we had a pptp connection between the two locations we didn't have this
problem.  It only seems to happen
> with IPSEC. 
> 
> Is there a workaround for this or is there a way to tell ip_nat_ftp to ignore
a particular IP range?
> 
> Gary Smith
> 
> 

I'm seeing this same problem under the new Debian Sarge release.

I've upgraded from Debian Woody to Sarge and now am using a 2.6.8
kernel with Openswan and Shorewall.  The VPN tunnel works great for
all other traffic except ftp.  I keep getting the error messages below.

kernel: FTP_NAT: partial packet 2087393185/21 in 787/863
kernel: FTP_NAT: partial packet 2087393185/21 in 788/844
kernel: FTP_NAT: partial packet 2087393185/21 in 789/849
kernel: FTP_NAT: partial packet 2087393185/21 in 790/838

I have both ip_ftp_nat and ip_conntrack_ftp loaded.  I am using
one-to-one NAT (same as before) to translate the foreign network to a
local ip address.

I can log into the ftp server but when I try to list the directory it
fails in either active or passive modes.  The last communication with
the ftp server requests the active ports to use.

I've seen two links on the web, one that says that their is a conflict
between IPSEC and iptables.  The other that had a firewall rule on the
other end of the tunnel that was preventing the connection.

http://lists.shorewall.net/pipermail/shorewall-users/2004-June/012969.html
http://msgs.securepoint.com/cgi-bin/get/netfilter-0506/123.html

I'll try taking out the modules ip_ftp_nat and ip_conntrack_ftp to see if that
has the same behavior.

Jeff Rasmussen
GPG public key 0x9686C12F





More information about the netfilter mailing list