[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Public IP's with 1:1 mapping does not map all ports or passive ftp does not work [long]

2006/9/20, Pascal Hambourg <pascal.mail@plouf.fr.eu.org>:

No, he can't "use all the apps he want". NAT, and even static 1:1 NAT,
breaks some applications which transmit network addresses in the payload
to establish dynamic connections. It includes FTP, IRC DCC, H.323, SIP
(voice over IP), RTSP (video streaming)...

> but ...
>
> a) active ftp does not work

FTP is the most common of those applications which can be broken by 1:1
static NAT. You need to "help" the application with a "helper" iptables
module. There are usually two modules for a given protocol : for FTP,
they are ip_conntrack_ftp (keeps track of FTP connections) and
ip_nat_ftp (NAT FTP data connections and, most important, mangles
network addresses in the control connections payload).


Thanks for your replies ....
AFAIK I do not need to add some iptables so I've loaded the module and
ask my customers if it works

Thank you one more time.

--
Wojciech Ziniewicz            |  jid:zeth@chrome.pl
http://silenceproject.org       | http://zetho.wordpress.com
Reply to: