Hi all,
I always have my ftp problem. I have now a very small number of rules for
the sake of test. Here they are:
-------------------Begin of rules---------------------------
IPTABLES=/sbin/iptables
BastionExternalIp=192.168.1.2
InternalIf=eth0
ExternalIf=eth1
LoopBackIf=lo
echo Configuring default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
#Permit any thing related or being part from an existing connection
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#Accept all from loopback
$IPTABLES -A INPUT -i $LoopbackIf -j ACCEPT
$IPTABLES -A OUTPUT -o $LoopbackIf -j ACCEPT
#Accept all from internal interface Linux box
$IPTABLES -A INPUT -i $InternalIf -j ACCEPT
$IPTABLES -N to-ext
$IPTABLES -A FORWARD -o $ExternalIf -j to-ext
$IPTABLES -A OUTPUT -o $ExternalIf -j to-ext
$IPTABLES -A to-ext -m state --state NEW -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $ExternalIf -j SNAT --to
$BastionExternalIp
-------------------End of rules-----------------------------
I try an ftp on the Linux box itself and here is what tcpdump tells me:
-----------------Begin of tcpdump output-----------------------
09:22:41.967494 eth1 > externe.1029 > 64.102.255.95.ftp: S
953089502:953089502(0) win 5840 <mss 1460,eol> (DF)
09:22:44.967494 eth1 > externe.1029 > 64.102.255.95.ftp: S
953089502:953089502(0) win 5840 <mss 1460,eol> (DF)
09:22:45.097494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:22:45.097494 eth1 > externe.1029 > 64.102.255.95.ftp: . 1:1(0) ack 1 win
5840 (DF)
09:22:48.597494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:22:54.997494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:23:07.797494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:23:33.397494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:24:24.597494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
-----------------End of tcpdump output-----------------------
I tried several times and always it seems as if the ftp server never recives
the "ack" for its "syn,ack" packet! Here is the output of lsmod (relevant
modules only)
-----------------Begin of lsmod output-----------------------
Module Size Used by
ipt_state 1200 4 (autoclean)
iptable_mangle 2272 0 (autoclean) (unused)
ip_nat_ftp 3760 0 (unused)
ip_conntrack_ftp 2480 0 (unused)
iptable_nat 16160 1 (autoclean) [ip_nat_ftp]
ip_conntrack 15824 3 (autoclean) [ipt_state ip_nat_ftp
ip_conntrack_ftp iptable_nat]
iptable_filter 2304 0 (autoclean) (unused)
ip_tables 11072 6 [ipt_state iptable_mangle iptable_nat
iptable_filter]
-----------------End of lsmod output-----------------------
What is wrong?
--
Mohamad
I always have my ftp problem. I have now a very small number of rules for
the sake of test. Here they are:
-------------------Begin of rules---------------------------
IPTABLES=/sbin/iptables
BastionExternalIp=192.168.1.2
InternalIf=eth0
ExternalIf=eth1
LoopBackIf=lo
echo Configuring default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
#Permit any thing related or being part from an existing connection
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#Accept all from loopback
$IPTABLES -A INPUT -i $LoopbackIf -j ACCEPT
$IPTABLES -A OUTPUT -o $LoopbackIf -j ACCEPT
#Accept all from internal interface Linux box
$IPTABLES -A INPUT -i $InternalIf -j ACCEPT
$IPTABLES -N to-ext
$IPTABLES -A FORWARD -o $ExternalIf -j to-ext
$IPTABLES -A OUTPUT -o $ExternalIf -j to-ext
$IPTABLES -A to-ext -m state --state NEW -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $ExternalIf -j SNAT --to
$BastionExternalIp
-------------------End of rules-----------------------------
I try an ftp on the Linux box itself and here is what tcpdump tells me:
-----------------Begin of tcpdump output-----------------------
09:22:41.967494 eth1 > externe.1029 > 64.102.255.95.ftp: S
953089502:953089502(0) win 5840 <mss 1460,eol> (DF)
09:22:44.967494 eth1 > externe.1029 > 64.102.255.95.ftp: S
953089502:953089502(0) win 5840 <mss 1460,eol> (DF)
09:22:45.097494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:22:45.097494 eth1 > externe.1029 > 64.102.255.95.ftp: . 1:1(0) ack 1 win
5840 (DF)
09:22:48.597494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:22:54.997494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:23:07.797494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:23:33.397494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
09:24:24.597494 eth1 < 64.102.255.95.ftp > externe.1029: S
2386694080:2386694080(0) ack 953089503 win 8760 <mss 1460> (DF)
-----------------End of tcpdump output-----------------------
I tried several times and always it seems as if the ftp server never recives
the "ack" for its "syn,ack" packet! Here is the output of lsmod (relevant
modules only)
-----------------Begin of lsmod output-----------------------
Module Size Used by
ipt_state 1200 4 (autoclean)
iptable_mangle 2272 0 (autoclean) (unused)
ip_nat_ftp 3760 0 (unused)
ip_conntrack_ftp 2480 0 (unused)
iptable_nat 16160 1 (autoclean) [ip_nat_ftp]
ip_conntrack 15824 3 (autoclean) [ipt_state ip_nat_ftp
ip_conntrack_ftp iptable_nat]
iptable_filter 2304 0 (autoclean) (unused)
ip_tables 11072 6 [ipt_state iptable_mangle iptable_nat
iptable_filter]
-----------------End of lsmod output-----------------------
What is wrong?
--
Mohamad