ftp conntrack - nat problem
rob0 at gmx.co.uk
Tue Nov 8 20:36:50 CET 2005
On Tuesday 2005-November-08 01:03, Dave Strydom wrote:
> Active Help: http://www.smartftp.com/support/kb/index.php/74
> Client closed the connection.
> Transfer failed.
> And just dies there.
> Now if I use ACTIVE MODE (PORT) i get the same thing... my question
> is why?
I don't know. I'm not convinced it's a netfilter issue, though. I did
not try to follow your script. Perhaps if you post your rules
(iptables-save(8)) we could see if anything looks wrong. Please note
that you didn't describe where you were sitting when you got this
error, so we could not possibly guess what is happening. I imagine that
this "smartftp" is some kind of Windows thing, so it probably was not
running on the firewall?
> Here is a copy of my firewall script:
Did you write all this yourself?
> ### Accepting our servers OUTPUT RULES###
> $IPTABLES -A OUTPUT -p ALL -s $LOCAL_NETWORK_IP_RANGE -m state
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
Above you had:
> $IPTABLES -P OUTPUT ACCEPT
so why are you adding ACCEPT rules to OUTPUT?
> ### Drop Rootshell Connections ###
> $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 1524 -j DROP
This is not appropriate in the nat table.
> ftp_conntrack and ip_nat_ftp is built into the kernel (from what i
> can tell) (kernel-2.6.11)
"From what [you] can tell?" You would know more about it than we would.
Also, netfilter drivers really should not be built-in unless it's an
embedded device which should reboot to make any changes.
> What am I missing, because this is seriously starting to annoy me,
> i cant find anything wrong,
Nor can I. It could be many things.
> even if i setup a simple DNAT for ftp, with no filtering or
> anything, it transfers a few files, and then bombs out
This suggests that the problem is not netfilter at all, but yes, more
simple iptables rules would help in ruling it out.
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter