ip_conntrack_ftp

[Solymos Péter <giraff@freemail.hu>]

Greetings,

I have some interesting problems with connection tracking. I have opened the
ftp ports to all IP-s listed in the userIP chain like this:

Chain INPUT
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
userIP     tcp  --  anywhere             anywhere           tcp
dpts:ftp-data:ftp

Chain userIP
ACCEPT     all  --  193.xxx.xxx.xxx       anywhere
ACCEPT     all  --  146.xxx.xxx.xxx       anywhere
ACCEPT     all  --  195.xxx.xxx.xxx       anywhere
etc.

Problem is:
It works with all IP-s except for 2, both of them are proxies. For the one
it was enough to accept any traffic from that IP with a line like this:

iptables -I INPUT -s <that IP> -j ACCEPT

Of course that is not the proper solution, I'll have to figure out the prob
and fix it some other time, but it works at least.
The other IP doesn't work at all, ftp stops at the PORT command. Log entry:

Apr 18 12:46:57 pingu kernel: IN=eth0 OUT=
MAC=00:40:f6:4c:11:8c:aa:00:04:00:01:04:08:00 SRC=195.xxx.xxx.xxx
DST=152.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123
 ID=11796 DF PROTO=TCP SPT=3100 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
Apr 18 12:47:00 pingu wu-ftpd[6941]: FTP LOGIN FROM blablabla.hu
[195.xxx.xxx.xxx], lujo
Apr 18 12:47:27 pingu wu-ftpd[6941]: refused PORT 192.168.3.13,3102 from
blablabla.hu [195.xxx.xxx.xxx]
Apr 18 12:51:33 pingu wu-ftpd[6941]: refused PORT 192.168.3.13,3122 from
blablabla.hu [195.xxx.xxx.xxx]
etc.

I tried to accept any traffic from that IP, didn't work out. Disabling the
firewall did anyway, so there must be some rule missing to fix this, or is
iptables that buggy? I can't imagine why conntrack_ftp isn't able to handle
that PORT command from that particular IP. Any ideas?

Thx in advance
giraff