[ILUG] iptables, nat and ftp stopped working

From: John Allman (allmanj at domain houseofireland.com)
Date: Mon 30 Sep 2002 - 12:25:03 IST

• Next message: Dave Wilson: "[ILUG] Red Hat 8.0 - Irish mirrors"
• Previous message: Colm MacCárthaigh: "Re: [ILUG] APT for RedHat - what you need to know"
• Next in thread: John Allman: "Re: [ILUG] iptables, nat and ftp stopped working"
• Reply: John Allman: "Re: [ILUG] iptables, nat and ftp stopped working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

hi - i used to have iptables working with ftp and natting using the
ip_nat_ftp module but after a reboot it's no longer working and i just
cant understand why! To the best of my knowlege nothing has changed. my
iptables script has the following lines in it

/sbin/insmod ip_conntrack_ftp
/sbin/insmod ip_nat_ftp

# - first the control connection for ftp
$ipt -A FORWARD -i $intif -o $outif -p TCP -s $pf2 -d 0/0 --dport 21 -m
state --state NEW,ESTABLISHED -j ACCEPT || res=1
$ipt -A FORWARD -i $outif -o $intif -p TCP -s 0/0 --sport 21 -d $pf2 -m
state --state ESTABLISHED -j ACCEPT || res=1

# then the data stream
$ipt -A FORWARD -i $outif -o $intif -p tcp -s 0/0 --sport 20 -d $pf2 -m
state --state ESTABLISHED,RELATED -j ACCEPT || res=1
$ipt -A FORWARD -o $outif -i $intif -p tcp -d 0/0 --dport 20 -s $pf2 -m
state --state ESTABLISHED -j ACCEPT || res=1

$ipt is the full path to iptables. $intif is the internal interface,
$outif is the external interface. $pf2 is the proxy from where all ftp
sessions begin. res is just a variable to indicate whether the script
ran successfully or not.

iptables -L FORWARD shows this:

ACCEPT tcp -- firewall.in.question anywhere tcp dpt:ftp
state NEW,ESTABLISHED
ACCEPT tcp -- anywhere firewall.in.questiontcp spt:ftp
state ESTABLISHED
ACCEPT tcp -- anywhere firewall.in.questiontcp
spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- firewall.in.question anywhere tcp
dpt:ftp-data state ESTABLISHED

lsmod shows

ext:~ # lsmod
Module Size Used by Tainted: P
af_packet 11528 0 (autoclean)
ip_nat_ftp 2944 0 (unused)
ip_conntrack_ftp 3200 0 (unused)
isa-pnp 27816 0 (unused)
joydev 5728 0 (unused)
evdev 3904 0 (unused)
input 3072 0 [joydev evdev]
usb-uhci 20996 0 (unused)
usbcore 55136 1 [usb-uhci]
3c59x 25032 2
e100 69272 1
ipt_REJECT 2752 2 (autoclean)
ipt_LOG 3168 3 (autoclean)
ipt_state 608 60 (autoclean)
iptable_nat 12756 2 (autoclean) [ip_nat_ftp]
ip_conntrack 12652 3 (autoclean) [ip_nat_ftp
ip_conntrack_ftp ipt_state iptable_nat]
iptable_filter 1728 1 (autoclean)
ip_tables 10400 7 [ipt_REJECT ipt_LOG ipt_state
iptable_nat iptable_filter]
reiserfs 158816 1

tcpdumping shows that the control stream is working fine but that
there's a problem with the data stream. i can see packets coming into
the firewall at the external interface but i'm not seeing them on the
other side. I have not touched the script since the restart and cant
understand why it would not be working now! i checked to see if
/proc/sys/net/ipv4/ip_forward is set to 1 and it is.

i'm afraid at that i've run out of debugging ideas. can anyone give me
any suggestions?

thanks

John

• Next message: Dave Wilson: "[ILUG] Red Hat 8.0 - Irish mirrors"
• Previous message: Colm MacCárthaigh: "Re: [ILUG] APT for RedHat - what you need to know"
• Next in thread: John Allman: "Re: [ILUG] iptables, nat and ftp stopped working"
• Reply: John Allman: "Re: [ILUG] iptables, nat and ftp stopped working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:19:09 GMT