Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
ftp problem with iptables
msaleh at orsys
Aug 6, 2001, 12:58 AM
Post #1 of 5 (768 views)
Permalink
Hi all,
I always have my ftp problem. I have now a very small number of rules for
the sake of test. Here they are:
-------------------Begin of rules---------------------------
IPTABLES=/sbin/iptables

BastionExternalIp=192.168.1.2

InternalIf=eth0
ExternalIf=eth1
LoopBackIf=lo

echo Configuring default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT

#Permit any thing related or being part from an existing connection
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#Accept all from loopback
$IPTABLES -A INPUT -i $LoopbackIf -j ACCEPT
$IPTABLES -A OUTPUT -o $LoopbackIf -j ACCEPT

#Accept all from internal interface Linux box
$IPTABLES -A INPUT -i $InternalIf -j ACCEPT

$IPTABLES -N to-ext
$IPTABLES -A FORWARD -o $ExternalIf -j to-ext
$IPTABLES -A OUTPUT -o $ExternalIf -j to-ext

$IPTABLES -A to-ext -m state --state NEW -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $ExternalIf -j SNAT --to
$BastionExternalIp
-------------------End of rules-----------------------------

I try an ftp on the Linux box itself and here is what tcpdump tells me:

-----------------Begin of tcpdump output-----------------------
09:22:41.967494 eth1 > externe.1029 > 64.102.255.95.ftp: S
953089502:953089502(0) win 5840 <mss 1460,eol> (DF)
09:22:44.967494 eth1 > externe.1029 > 64.102.255.95.ftp: S
953089502:953089502(0) win 5840 <mss 1460,eol> (DF)
09:22:45.097494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:22:45.097494 eth1 > externe.1029 > 64.102.255.95.ftp: . 1:1(0) ack 1 win
5840 (DF)
09:22:48.597494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:22:54.997494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:23:07.797494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:23:33.397494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:24:24.597494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
-----------------End of tcpdump output-----------------------

I tried several times and always it seems as if the ftp server never recives
the "ack" for its "syn,ack" packet! Here is the output of lsmod (relevant
modules only)
-----------------Begin of lsmod output-----------------------
Module Size Used by
ipt_state 1200 4 (autoclean)
iptable_mangle 2272 0 (autoclean) (unused)
ip_nat_ftp 3760 0 (unused)
ip_conntrack_ftp 2480 0 (unused)
iptable_nat 16160 1 (autoclean) [ip_nat_ftp]
ip_conntrack 15824 3 (autoclean) [ipt_state ip_nat_ftp
ip_conntrack_ftp iptable_nat]
iptable_filter 2304 0 (autoclean) (unused)
ip_tables 11072 6 [ipt_state iptable_mangle iptable_nat
iptable_filter]
-----------------End of lsmod output-----------------------

What is wrong?

--
Mohamad
Re: ftp problem with iptables [ In reply to ]
msaleh at orsys
Aug 6, 2001, 1:43 AM
Post #2 of 5 (764 views)
Permalink
Finding nothing special in my configuration, I have finished by calling my ISP.
I was surprised to discover that they block all tcp connections to a port >
1023. So it is normal that my passive ftp doesn't work. This information was not
communicated in any paper to us and it seems that this a
common attitude so this is perhaps the first thing to check out.

--
Mohamad
ftp problem with iptables [ In reply to ]
msaleh at orsys
Aug 7, 2001, 5:08 AM
Post #3 of 5 (757 views)
Permalink
I have posted on this list concerning an ftp problem when in passive mode. I have
called the technical support of my ISP and someone said that they block tcp
connections to ports greater than 1023. I even wrote a message saying this to the
list. But finding it a little strange, I tried with a roaming access (using a modem
without a firewall) from the same provider and passive ftp worked fine.

So I tried the same thing at home.
Office configuration : ADSL --- filtering router --- firewall Linux --- internal
network
Home configuration : 56K modem --- firewall Linux --- inernal network

Differences between the two configurations:
- I had to change only one thing the name of the interface : (ppp0 in place of
eth1).
- At home I have another ISP.
- At home, I installed the workstation configuration; at office, it is a
personnalised installation.

At home it works great without any latency problem. At office, I always times-out!
I even tried several browsers with no problem at all.

This problem only occurs with passive ftp and to cut any doubt, this morning I have
succeeded (at office) to get an ftp site with my browser. It was though very slow
and it is the only connection I ever could have. All other services are fluide. What
can I do more to fix this problem?

--
Mohamad
Re: ftp problem with iptables [ In reply to ]
msaleh at orsys
Aug 8, 2001, 1:59 AM
Post #4 of 5 (760 views)
Permalink
Hi all,
As I mentioned before, I have the following configuration:
ADSL --- Filtering router --- Linux Firewall --- Internal network

I have a real problem with passive ftp although all other traffic functions correctly. I
have done a tcpdump to know what is happenning and I join the result with this mail.

My browser machine has IP 10.10.7.1 turns under NT and my external interface IP for the
Linux box is 192.168.1.2

I have done a test with a linux machine as a client and the result was the same.
It must be said also that an active ftp doesn't cause particular troubles.

It appears that packets sent from client to server are lost regularly (where?)! The
client doesn't arrange things because it waits a lot to resend its packet.

--
Mohamad

Attached Files:

Re: ftp problem with iptables [ In reply to ]
msaleh at orsys
Aug 8, 2001, 7:22 AM
Post #5 of 5 (765 views)
Permalink
Finally I can do passive ftp without any problem. My problem as I noticed it this morning was the ADSL router. It was changed and all
works very fine. Really passive ftp clients are very "stupid" so any traffic problem can make the protocol UNUSABLE.

--
Mohamad

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal