When i try to connect to it using flashfxp it says: [22:16:11] WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005 [22:16:17] [R] Connecting to cauchy.homeip.net -> DNS=cauchy.homeip.net IP=89.212.9.43 PORT=21 [22:16:18] [R] Connection failed (Connection refused) [22:16:18] [R] Delaying for 120 seconds before reconnect attempt #1
I don't think it's the dnat causing the problem because torrents and ed2k and some other things work fine (on ports 50000-50004). And also if i use utorrent port checker on port 21 (http://www.utorrent.com/testport.php?port=21) it says that it's open and accepting connections. It has to be something speceific to ftp. Here is the complete output of iptables-save if it helps: # Generated by iptables-save v1.3.6 on Thu Sep 6 22:05:23 2007 *raw :PREROUTING ACCEPT [10299443:6842649469] :OUTPUT ACCEPT [6300:1508171] COMMIT # Completed on Thu Sep 6 22:05:23 2007 # Generated by iptables-save v1.3.6 on Thu Sep 6 22:05:23 2007 *nat :PREROUTING ACCEPT [73077:4323725] :POSTROUTING ACCEPT [474484:30117358] :OUTPUT ACCEPT [350:28305] :eth1_masq - [0:0] :net_dnat - [0:0] -A PREROUTING -i eth1 -j net_dnat -A POSTROUTING -o eth1 -j eth1_masq -A OUTPUT -p tcp -m tcp --dport 50000:50010 -j DNAT --to-destination 192.168.0.3 -A OUTPUT -p udp -m udp --dport 50000:50010 -j DNAT --to-destination 192.168.0.3 -A OUTPUT -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.3 -A eth1_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE -A net_dnat -p tcp -m tcp --dport 50000:50010 -j DNAT --to-destination 192.168.0.3 -A net_dnat -p udp -m udp --dport 50000:50010 -j DNAT --to-destination 192.168.0.3 -A net_dnat -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.3 COMMIT # Completed on Thu Sep 6 22:05:23 2007 # Generated by iptables-save v1.3.6 on Thu Sep 6 22:05:23 2007 *mangle :PREROUTING ACCEPT [10299485:6842699601] :INPUT ACCEPT [10793:1610545] :FORWARD ACCEPT [10288660:6841074263] :OUTPUT ACCEPT [42345:8301662] :POSTROUTING ACCEPT [10294924:6842547103] :tcfor - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -j tcpre -A FORWARD -j tcfor -A OUTPUT -j tcout -A POSTROUTING -j tcpost COMMIT # Completed on Thu Sep 6 22:05:23 2007 # Generated by iptables-save v1.3.6 on Thu Sep 6 22:05:23 2007 *filter :INPUT DROP [8:460] :FORWARD DROP [22:22814] :OUTPUT DROP [0:0] :Drop - [0:0] :Reject - [0:0] :all2all - [0:0] :blacklst - [0:0] :dropBcast - [0:0] :dropInvalid - [0:0] :dropNotSyn - [0:0] :dynamic - [0:0] :eth0_fwd - [0:0] :eth0_in - [0:0] :eth0_out - [0:0] :eth1_fwd - [0:0] :eth1_in - [0:0] :eth1_out - [0:0] :fw2all - [0:0] :fw2loc - [0:0] :fw2net - [0:0] :loc2all - [0:0] :loc2fw - [0:0] :loc2net - [0:0] :logdrop - [0:0] :logflags - [0:0] :logreject - [0:0] :net2all - [0:0] :net2fw - [0:0] :net2loc - [0:0] :norfc1918 - [0:0] :reject - [0:0] :rfc1918 - [0:0] :shorewall - [0:0] :smurfs - [0:0] :tcpflags - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j eth0_in -A INPUT -i eth1 -j eth1_in -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j Reject -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6 -A INPUT -j reject -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i eth0 -j eth0_fwd -A FORWARD -i eth1 -j eth1_fwd -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j Reject -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6 -A FORWARD -j reject -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j eth0_out -A OUTPUT -o eth1 -j eth1_out -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -j ACCEPT -A Drop -p tcp -m tcp --dport 113 -j reject -A Drop -j dropBcast -A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Drop -j dropInvalid -A Drop -p udp -m multiport --dports 135,445 -j DROP -A Drop -p udp -m udp --dport 137:139 -j DROP -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP -A Drop -p tcp -m multiport --dports 135,139,445 -j DROP -A Drop -p udp -m udp --dport 1900 -j DROP -A Drop -p tcp -j dropNotSyn -A Drop -p udp -m udp --sport 53 -j DROP -A Reject -p tcp -m tcp --dport 113 -j reject -A Reject -j dropBcast -A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Reject -j dropInvalid -A Reject -p udp -m multiport --dports 135,445 -j reject -A Reject -p udp -m udp --dport 137:139 -j reject -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject -A Reject -p tcp -m multiport --dports 135,139,445 -j reject -A Reject -p udp -m udp --dport 1900 -j DROP -A Reject -p tcp -j dropNotSyn -A Reject -p udp -m udp --sport 53 -j DROP -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A all2all -j Reject -A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6 -A all2all -j reject -A blacklst -s 65.204.61.101 -j DROP -A blacklst -s 221.122.51.250 -j DROP -A blacklst -s 130.94.69.122 -j DROP -A dropBcast -m pkttype --pkt-type broadcast -j DROP -A dropBcast -m pkttype --pkt-type multicast -j DROP -A dropInvalid -m state --state INVALID -j DROP -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A eth0_fwd -m state --state INVALID,NEW -j dynamic -A eth0_fwd -m state --state INVALID,NEW -j smurfs -A eth0_fwd -p tcp -j tcpflags -A eth0_fwd -s 192.168.0.0/255.255.255.0 -o eth1 -j loc2net -A eth0_in -m state --state INVALID,NEW -j dynamic -A eth0_in -m state --state INVALID,NEW -j smurfs -A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT -A eth0_in -p tcp -j tcpflags -A eth0_in -s 192.168.0.0/255.255.255.0 -j loc2fw -A eth0_out -p udp -m udp --dport 67:68 -j ACCEPT -A eth0_out -d 192.168.0.0/255.255.255.0 -j fw2loc -A eth0_out -d 255.255.255.255 -j fw2loc -A eth0_out -d 224.0.0.0/240.0.0.0 -j fw2loc -A eth1_fwd -m state --state INVALID,NEW -j dynamic -A eth1_fwd -m state --state INVALID,NEW -j blacklst -A eth1_fwd -m state --state INVALID,NEW -j smurfs -A eth1_fwd -m state --state NEW -j norfc1918 -A eth1_fwd -p tcp -j tcpflags -A eth1_fwd -d 192.168.0.0/255.255.255.0 -o eth0 -j net2loc -A eth1_in -m state --state INVALID,NEW -j dynamic -A eth1_in -m state --state INVALID,NEW -j blacklst -A eth1_in -m state --state INVALID,NEW -j smurfs -A eth1_in -p udp -m udp --dport 67:68 -j ACCEPT -A eth1_in -m state --state NEW -j norfc1918 -A eth1_in -p tcp -j tcpflags -A eth1_in -j net2fw -A eth1_out -p udp -m udp --dport 67:68 -j ACCEPT -A eth1_out -j fw2net -A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2all -j ACCEPT -A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT -A fw2loc -d 192.168.0.3 -p tcp -m tcp --dport 50000:50010 -j ACCEPT -A fw2loc -d 192.168.0.3 -p udp -m udp --dport 50000:50010 -j ACCEPT -A fw2loc -d 192.168.0.3 -p tcp -m tcp --dport 21 -j ACCEPT -A fw2loc -p udp -m udp --dport 123 -j ACCEPT -A fw2loc -j fw2all -A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2net -p icmp -m icmp --icmp-type 8 -j ACCEPT -A fw2net -p udp -m udp --dport 123 -j ACCEPT -A fw2net -j fw2all -A loc2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2all -j ACCEPT -A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 10000 -j ACCEPT -A loc2fw -p udp -m udp --dport 53 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 53 -j ACCEPT -A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT -A loc2fw -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 6 -A loc2fw -p icmp -m icmp --icmp-type 8 -j reject -A loc2fw -p udp -m udp --dport 123 -j ACCEPT -A loc2fw -j loc2all -A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2net -p icmp -m icmp --icmp-type 8 -j ACCEPT -A loc2net -p udp -m udp --dport 123 -j ACCEPT -A loc2net -j loc2all -A logdrop -j LOG --log-prefix "Shorewall:logdrop:DROP:" --log-level 6 -A logdrop -j DROP -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 -A logflags -j DROP -A logreject -j LOG --log-prefix "Shorewall:logreject:REJECT:" --log-level 6 -A logreject -j reject -A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2all -j Reject -A net2all -j LOG --log-prefix "Shorewall:net2all:REJECT:" --log-level 6 -A net2all -j reject -A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2fw -p tcp -m tcp --dport 22 -j ACCEPT -A net2fw -p tcp -m tcp --dport 10000 -j ACCEPT -A net2fw -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "Shorewall:net2fw:REJECT:" --log-level 6 -A net2fw -p icmp -m icmp --icmp-type 8 -j reject -A net2fw -p udp -m udp --dport 123 -j ACCEPT -A net2fw -j net2all -A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2loc -d 192.168.0.3 -p tcp -m tcp --dport 50000:50010 -j ACCEPT -A net2loc -d 192.168.0.3 -p udp -m udp --dport 50000:50010 -j ACCEPT -A net2loc -d 192.168.0.3 -p tcp -m tcp --dport 21 -j ACCEPT -A net2loc -p udp -m udp --dport 123 -j ACCEPT -A net2loc -j net2all -A norfc1918 -s 172.16.0.0/255.240.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918 -A norfc1918 -s 192.168.0.0/255.255.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918 -A norfc1918 -s 10.0.0.0/255.0.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918 -A reject -m pkttype --pkt-type broadcast -j DROP -A reject -m pkttype --pkt-type multicast -j DROP -A reject -s 255.255.255.255 -j DROP -A reject -s 224.0.0.0/240.0.0.0 -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A rfc1918 -j LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level 6 -A rfc1918 -j DROP -A smurfs -s 192.168.0.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 192.168.0.255 -j DROP -A smurfs -s 89.212.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 89.212.255.255 -j DROP -A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 255.255.255.255 -j DROP -A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 224.0.0.0/240.0.0.0 -j DROP -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags COMMIT # Completed on Thu Sep 6 22:05:23 2007 I can't figure anything out out of this output. Any one can? Is it possible to see what's causing the problem? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Eastep Sent: Thursday, September 06, 2007 3:53 PM To: Shorewall Users Subject: Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall Tom Eastep wrote: > Ziga Milek wrote: >> As a matter of fact i thought of the unusual port choice causing the >> problem and switched the ftp port back to 21 and added 'FTP/DNAT all >> loc:192.168.0.3' rule and the problem persists. Any other idea? > > Have you consulted http://www.shorewall.net/FTP.html ? > Oops -- I see that you mentioned that article in an earlier post. What is failing? The initial control connections or operations like 'ls' that require a data connection? Your post sounds like it is the initial control connection in which case you need to follow the DNAT troubleshooting tips in Shorewall FAQs 1a and 1b. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
