NAT_FTP and ipsec
Gary W. Smith
gary at primeexalia.com
Mon Jun 20 20:20:05 CEST 2005
I hate answer my own questions with "I found the problem".
The remote workstation has the default firewall enabled by default. I
never noticed it because I use SSH on it most of the time. Anyways,
turning of the rules on that machine fixed the problem. I didn't think
to check as the remote workstation has always worked.
> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org [mailto:netfilter-
> bounces at lists.netfilter.org] On Behalf Of Gary W. Smith
> Sent: Monday, June 20, 2005 10:30 AM
> To: netfilter at lists.netfilter.org
> Subject: NAT_FTP and ipsec
> I ran into a weird error today and was wondering if there was any
> workaround for it. I have two networks connected via IPSEC (Openswan)
> which has been working great for some time. All of the remote nodes
> access the main network just fine (including FTP). Between the nodes
> and the primary network, iptables is set to allow all traffic
> unrestricted. The nodes and the primary network all use internal
> >From a Linux box on the remote node I can FTP to my workstation and
> files. But when I try to pull files from that Linux box from my
> workstation I have been receiving "ftp: connect: No route to host". I
> have been looking at both firewalls in question and they both have
> ip_conntrack_ftp and ip_nat_ftp loaded.
> The firewall on the main network is showing "kernel: FTP_NAT: partial
> Packet 1842323491/17 in 35830/35905"
> Some articles that I pulled up basically said it is because IPSEC
> doesn't play well with iptables. But I haven't had any other
> Both firewalls are running RHEL 4. The kernel has been patched to
> include a fix for IPSEC (for a race condition which caused kernel
> panics) and pptp-conntrack.
> Any ideas?
> Gary Smith
More information about the netfilter