Re: conntrack_ftp and DNAT

2017-02-16 Thread Klaus Ethgen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Florian, Am Do den 16. Feb 2017 um 9:41 schrieb Florian Westphal: > Klaus Ethgen wrote: > > > 2. ftp server uses foreign (non-local) ip addresses in PORT command > > >(this needs fixing of ftp server or use of 'loose'

Re: conntrack_ftp and DNAT

2017-02-16 Thread Klaus Ethgen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Florian, Am Do den 16. Feb 2017 um 1:17 schrieb Florian Westphal: > Klaus Ethgen wrote: [Contrack and DNAT] > > Here are the relevant entries in iptables: > > iptables -t raw -A PREROUTING -p tcp -m tcp --dport 21 -j CT

Re: conntrack_ftp and DNAT

2017-02-15 Thread Florian Westphal
Klaus Ethgen wrote: > allow me to ask a question about conntrack and nf_conntrack_ftp and > nf_nat_ftp and DNAT. > > I have a host where I do DNAT from the main IPv4 address to the backend > ftp server. Currently I have the server data connections limited to a > small port