Hello,
my name is Mario Holbe, I'm trying to use netfilters SNAT+DNAT
to map an private network to another official network via
a linux/sparc based gateway.
My target is, to get a static 1:1 NAT working in both directions,
means, an internal host should be able to connect to the outside
and the outside should be able to connect to internal hosts via
their official IPs too.
I'm using SuSE/Sparc distribution, which provides 2.4.14 kernel.
Actually, I try for testing purposes to map exactly one internal
IP (172.31.248.4) to exactly one external IP (195.37.36.227):
modprobe ip_conntrack_ftp
modprobe iptable_nat
iptables -t nat -A POSTROUTING -s 172.31.248.4 -j SNAT \
--to-source 195.37.36.227
iptables -t nat -A PREROUTING -d 195.37.36.227 -j DNAT \
--to-destination 172.31.248.4
Everything works fine so far - but ftp.
With both rules applied, I'm able to ssh from the inside to the
outside as well as from the outside to the inside for example.
With ftp the following happens:
After inserting the first rule (which should be enough to get
ftp working from the inside to the outside, as fas as I understand
conntrack), I get:
ftp ftp.uni-stuttgart.de
Connected to ftp.uni-stuttgart.de.
[...]
ftp> dir
500 Illegal PORT Command
425 Can't build data connection: No route to host.
ftp>
After inserting the second rule too, something really strange happens:
ftp ftp.uni-stuttgart.de
Connected to ftp.uni-stuttgart.de.
[...]
ftp> dir
ftp> dir
500 Illegal PORT Command
150 Opening ASCII mode data connection for /bin/ls.
total 52724
[...]
226 Transfer complete.
1888 bytes received in 0.019 seconds (99.27 Kbytes/s)
ftp> dir
500 Illegal PORT Command
ftp>
lsmod on the gateway gives:
Module Size Used by Tainted: P
iptable_nat 15760 0 (unused)
ip_tables 13824 3 [iptable_nat]
ip_conntrack_ftp 4112 0 (unused)
ip_conntrack 16568 2 [iptable_nat ip_conntrack_ftp]
So modules should be loaded correctly.
It seems, that ftp conntracking doesnt work on sparc with 2.4.14.
I know, it works well with intel architecture, so I guess, it's
some endianess problem.
However, does anybody know, if it works (better) with 2.4.18 or
iptables-1.2.6a patched into 2.4.14?
I'm sorry, I'm not really familar in building kernels SuSE-like,
so I'd like to know, if it has a chance to succeed, before I try
it :)
PS: I'm not on the list, so please CC: me in replies.
thanks & regards,
Mario
--
Oh Du mein Koenig ... Eine Netzgroesse schrieb mal sinngemaess:
Du musst es so lesen wie ich es meine, nicht so wie ich es schreibe.
Ich meine es natuerlich so, wie Du es schreibst 8--)
O.G. Schwenk - de.comm.chatsystems
