Connection not recognized as RELATED

[Derick Anderson]

> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org 
> [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of 
> Richard Simon
> Sent: Friday, March 03, 2006 10:48 AM
> To: ludi; netfilter at lists.netfilter.org
> Subject: RE: Connection not recognized as RELATED
> 
> I dont think you looked at my configuration included in the message.
> I have those modules loaded (as you can see from my lsmod 
> output) and I have ftp working on port 21 (which you can 
> infer from my DNAT rule).
> I'm just not getting the conntrack to recognize the SYN for 
> the passive connection to be RELATED.
> 
> anyone else have a guess?
> 
> Richard Simon
> Giant Killer Robots
> 361 Brannan St.
> San Francisco, CA 94107
> (415) 777-2477
> 

I would start by filtering in the filter table. These rules

-A PREROUTING -d 77.77.77.4 -i eth2 -p tcp -m tcp --sport 1024:65535
--dport 21 -j DNAT --to-destination 192.168.4.101:21
-A FORWARD -d 192.168.4.101 -i eth2 -o eth0 -p tcp -m tcp --sport
1024:65535 --dport 21 -m state --state NEW -j ACCEPT 

should be

-A PREROUTING -d 77.77.77.4 -i eth2 -j DNAT --to-destination
192.168.4.101
-A FORWARD -p tcp -d 192.168.4.101 -i eth2 -o eth0 -p tcp -m tcp --dport
21 -m state --state NEW  -j ACCEPT

There is no need to filter twice and conntrack makes unprivileged source
port filtering unnecessary. Also, filtering in nat is a bad idea, for
reasons that are explained somewhere in the archive but if memory serves
only the first packet in a connection which is matched by a nat rule
actually passes through the nat table.

Hope that helps. If not, you can always open up the destination ports
for the passive range on your FTP server. Also, if you use FTPS (over
SSL) conntrack can't see the PASV port request and won't have a clue
what to do, so you have to open those ports anyway.

Derick Anderson