[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]



I have some interesting problems with connection tracking. I have opened the
ftp ports to all IP-s listed in the userIP chain like this:

ACCEPT     all  --  anywhere             anywhere           state
userIP     tcp  --  anywhere             anywhere           tcp

Chain userIP
ACCEPT     all  --  193.xxx.xxx.xxx       anywhere
ACCEPT     all  --  146.xxx.xxx.xxx       anywhere
ACCEPT     all  --  195.xxx.xxx.xxx       anywhere

Problem is:
It works with all IP-s except for 2, both of them are proxies. For the one
it was enough to accept any traffic from that IP with a line like this:

iptables -I INPUT -s <that IP> -j ACCEPT

Of course that is not the proper solution, I'll have to figure out the prob
and fix it some other time, but it works at least.
The other IP doesn't work at all, ftp stops at the PORT command. Log entry:

Apr 18 12:46:57 pingu kernel: IN=eth0 OUT=
MAC=00:40:f6:4c:11:8c:aa:00:04:00:01:04:08:00 SRC=195.xxx.xxx.xxx
DST=152.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123
 ID=11796 DF PROTO=TCP SPT=3100 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
Apr 18 12:47:00 pingu wu-ftpd[6941]: FTP LOGIN FROM blablabla.hu
[195.xxx.xxx.xxx], lujo
Apr 18 12:47:27 pingu wu-ftpd[6941]: refused PORT,3102 from
blablabla.hu [195.xxx.xxx.xxx]
Apr 18 12:51:33 pingu wu-ftpd[6941]: refused PORT,3122 from
blablabla.hu [195.xxx.xxx.xxx]

I tried to accept any traffic from that IP, didn't work out. Disabling the
firewall did anyway, so there must be some rule missing to fix this, or is
iptables that buggy? I can't imagine why conntrack_ftp isn't able to handle
that PORT command from that particular IP. Any ideas?

Thx in advance

Reply to: