Re[1] Re[1] Ftp, Iptables and masquerade
Sebastiaan,
I found where is my problem !
It comes from the fact that my ftp session is nated before !
Here is the forward direction:
FTP_CLIENT -> NAT_SERVER -> NETFILTER -> FTP_SERVER
My problem is that NAT_SERVER works only on the tcp headers
and not on the Ip @ contained in the data on 21 tcp packet !
It seems that kernel modules ip_conntrack or ip_nat_ftp
check if ip @ of tcp_port_21_headers and tcp_port_21_data
If somebody have heard of anything like this, I am
interesting ?
Well, I think that I will ask this question on a kernel
mailing list.
Many Thanks.
Fabian
> -------Message d'origine-------
> De : Sebastiaan <S.Breedveld@ITS.TUDelft.NL>
> Date : 13/07/2001 14:47:09
>
> Hi,
>
> I would not know if it is the same. I insmodded the whole
bunch of
> netfilter modules, then I run the following to enable
masquarading (from
> iptables howto):
> # Load the NAT module (this pulls in all the others).
> modprobe iptable_nat
>
> # In the NAT table (-t nat), Append a rule (-A) after
routing
> # (POSTROUTING) for all packets going out ppp0 (-o
ppp0) which says to
> # MASQUERADE the connection (-j MASQUERADE).
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> # Turn on IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> worked fine for me. It seems that you need at least the
modules:
> ip_tables
> ip_conntrack
> ip_conntrack_ftp
> iptable_nat
> ip_nat_ftp
>
> I would not know what could be wrong if this bare bones
configuration does
> not work, but then, I am no expert. Does the other IP
traffic like http or
> telnet work?
>
> Greetz,
> Sebastiaan
>
>
>
>
> On Fri, 13 Jul 2001, fr ml wrote:
>
> > True, I have module ftp contrack & ftp nat module
available
> > with auto-load, and my problem is only with active ftp.
> > Martin's answer was about a similar question I think
> >
> > But, what I saw, is that the module ftp_conntrack is up
> > when I use the state option, but not the nat ftp module
!
> > I've launch it manualy with insmod, the result is the
same !
> >
> > So one, is there any special option to activate the
nat_ftp
> > module ? On ipchains, the module was ip_ftp_masq, is the
> > module ip_nat_ftp on iptables doing the same thing ?
> > i.e. masquerade active ftp session for outgoing tcp
packet
> > on port 21 (the reply Ip @ is in the tcp data and not
in the
> > tcp header)
> >
> > > De : Sebastiaan
> > > Date : 13/07/2001 10:19:28
> > >
> > > On Fri, 13 Jul 2001, fr ml wrote:
> > >
> > > >
> > > > Hello,
> > > >
> > > > I've tried to masquerade my private Lan from the
> > outside,
> > > > but I've got problems for ftp (port 21).
> > > >
> > > > At first, I've tried such a rule (where eth0 is
private
> > and
> > > > eth1 public):
> > > > iptables -t nat -A POSTROUTING -o eth1 -s
private_lan
> > > > -d 0.0.0.0/0 -p tcp -m state
> > > > --state NEW,ESTABLISHED,RELATED -j MASQUERADE
> > > >
> > > >
> > > > with no success, the packet send are quite
masquerade,
> > but
> > > > the reply are still using the original non-
masquerade ip
> > > > address.
> > > >
> > > Hello,
> > >
> > > why do you not use the ftp modules ip_conntrack_ftp.o
and
> > ip_nat_ftp.o?
> > > They come with the netfilter options in the kernel.
Works
> > fine.
> > >
> > > Greetz,
> > > Sebastiaan
> > >
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-firewall-
> > request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> > >
> > >
> > >
> > ______________________________________________________
> > Boîte aux lettres - Caramail - http://www.caramail.com
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-
request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
>
______________________________________________________
Boîte aux lettres - Caramail - http://www.caramail.com
Reply to: