Sebastiaan, I found where is my problem ! It comes from the fact that my ftp session is nated before ! Here is the forward direction: FTP_CLIENT -> NAT_SERVER -> NETFILTER -> FTP_SERVER
My problem is that NAT_SERVER works only on the tcp headers and not on the Ip @ contained in the data on 21 tcp packet ! It seems that kernel modules ip_conntrack or ip_nat_ftp check if ip @ of tcp_port_21_headers and tcp_port_21_data If somebody have heard of anything like this, I am interesting ? Well, I think that I will ask this question on a kernel mailing list. Many Thanks. Fabian > -------Message d'origine------- > De : Sebastiaan <[EMAIL PROTECTED]> > Date : 13/07/2001 14:47:09 > > Hi, > > I would not know if it is the same. I insmodded the whole bunch of > netfilter modules, then I run the following to enable masquarading (from > iptables howto): > # Load the NAT module (this pulls in all the others). > modprobe iptable_nat > > # In the NAT table (-t nat), Append a rule (-A) after routing > # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to > # MASQUERADE the connection (-j MASQUERADE). > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > # Turn on IP forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward > > worked fine for me. It seems that you need at least the modules: > ip_tables > ip_conntrack > ip_conntrack_ftp > iptable_nat > ip_nat_ftp > > I would not know what could be wrong if this bare bones configuration does > not work, but then, I am no expert. Does the other IP traffic like http or > telnet work? > > Greetz, > Sebastiaan > > > > > On Fri, 13 Jul 2001, fr ml wrote: > > > True, I have module ftp contrack & ftp nat module available > > with auto-load, and my problem is only with active ftp. > > Martin's answer was about a similar question I think > > > > But, what I saw, is that the module ftp_conntrack is up > > when I use the state option, but not the nat ftp module ! > > I've launch it manualy with insmod, the result is the same ! > > > > So one, is there any special option to activate the nat_ftp > > module ? On ipchains, the module was ip_ftp_masq, is the > > module ip_nat_ftp on iptables doing the same thing ? > > i.e. masquerade active ftp session for outgoing tcp packet > > on port 21 (the reply Ip @ is in the tcp data and not in the > > tcp header) > > > > > De : Sebastiaan > > > Date : 13/07/2001 10:19:28 > > > > > > On Fri, 13 Jul 2001, fr ml wrote: > > > > > > > > > > > Hello, > > > > > > > > I've tried to masquerade my private Lan from the > > outside, > > > > but I've got problems for ftp (port 21). > > > > > > > > At first, I've tried such a rule (where eth0 is private > > and > > > > eth1 public): > > > > iptables -t nat -A POSTROUTING -o eth1 -s private_lan > > > > -d 0.0.0.0/0 -p tcp -m state > > > > --state NEW,ESTABLISHED,RELATED -j MASQUERADE > > > > > > > > > > > > with no success, the packet send are quite masquerade, > > but > > > > the reply are still using the original non- masquerade ip > > > > address. > > > > > > > Hello, > > > > > > why do you not use the ftp modules ip_conntrack_ftp.o and > > ip_nat_ftp.o? > > > They come with the netfilter options in the kernel. Works > > fine. > > > > > > Greetz, > > > Sebastiaan > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to debian-firewall- > > [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > > > > ______________________________________________________ > > Bo�te aux lettres - Caramail - http://www.caramail.com > > > > > > > -- > To UNSUBSCRIBE, email to debian-firewall- [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > ______________________________________________________ Bo�te aux lettres - Caramail - http://www.caramail.com
