I got a reply from Rusty Russel (one of the netfilter developers) who
had the following to say about this:
===
Hi,
To do the FTP ports, you need the multi-port FTP patch from
patch-o-matic, then this will work. `make patch-o-matic' (with
KERNEL_DIR set to your kernel directory).
This is pending inclusion in the main kernel tree...
Hope that helps,
Rusty.
--
Premature optmztion is rt of all evl. --DK
===
I've downloaded the patch
(http://pserver.samba.org/cgi-bin/cvsweb/netfilter/userspace/patch-o-matic/ftp-multi.patch).
Maybe I'll (or Jeff / Chmouel) can put it one of the next kernel
releases...
> > I'm trying to get ABNAMRO (the dutch bank) Homenet software (windoze
> > based, really dumb --> I wish they would switch to something web-based)
> > to work with iptables (2.4 kernel) in my masqed network. It was working
> > fine with ipchains. The only thing I needed to do there was insmod
> > ip_masq_ftp ports=21,42,63 (since the software needs some weird ftp
> > ports to communicate).
> >
> > How do i do a "insmod ip_masq_ftp ports=21,42,63" with the modules that
> > come with iptables? The new module is named "ip_nat_ftp" but it doesn't
> > accept the ports=21,42,63 ....
>
> A lot has changed from ipchains to iptables.
> You might read the netfilter howto's at:
> http://netfilter.kernelnotes.org/unreliable-guides/netfilter-hacking-HOWTO
> .html
>
> The most important change is that it has a state feature. With this you
> can masq ftp client connections.
The problem with the ABN-AMRO HomeNet software (did I mention how much
HomeNet sucks?) is that it needs FTP connections to be setup on
non-standard ports. I don't think that this can be handled with
netfilter being statefull, since connections are being setup from the
internet back into my private network, on ports that the ip_nat_ftp
module doesn't expect them to come into. Once you can configure the
ip_nat_ftp module to look after those other "strange" ports then it'll
work, as it did with ipchains code.
> I believe i got it working ok myself. So i could send you my config with
> a direct mail.
Thanks!!, but I'll try with the patch above first...
Stefan van der Eijk
