All of lore.kernel.org
 help / color / mirror / Atom feed
* ftp and nat
@ 2009-05-27 11:48 matthias
  2009-05-27 12:13 ` Thomas Jacob
  0 siblings, 1 reply; 3+ messages in thread
From: matthias @ 2009-05-27 11:48 UTC (permalink / raw)
  To: netfilter

Hi all,

i have a network like this:
client <-> router <-> server

the router is linked via eth0 to the client-network and via tun0 to the server.
when i try to log from the client into the server via ftp I get a
delay of about 30 seconds.
does anyone tell me why, is it, that iptables doesn't support active ftp?

here are tcpdump extracts taken by the router:

root@router# tcpdump -i eth0
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:57:01.949614 IP client.43278 > router.ftp: S
2612647763:2612647763(0) win 5840 <mss 1460,sackOK,timestamp 538163918
0,nop,wscale 2>
15:57:01.951314 IP router.ftp > client.43278: S
3833629446:3833629446(0) ack 2612647764 win 5792 <sackOK,timestamp
109271440 538163918,mss 1460,nop,wscale 2>
15:57:01.951615 IP client.43278 > router.ftp: . ack 1 win 1460
<nop,nop,timestamp 538163921 109271440>
15:57:32.417873 IP router.ftp > client.43278: P 1:99(98) ack 1 win
1448 <nop,nop,timestamp 109279056 538163921>
15:57:32.418179 IP client.43278 > router.ftp: . ack 99 win 1460
<nop,nop,timestamp 538194387 109279056>
15:57:32.418181 IP client.43278 > router.ftp: P 1:14(13) ack 99 win
1460 <nop,nop,timestamp 538194387 109279056>
15:57:32.421947 IP router.ftp > client.43278: . ack 14 win 1448
<nop,nop,timestamp 109279057 538194387>
15:57:32.445852 IP router.ftp > client.43278: P 99:127(28) ack 14 win
1448 <nop,nop,timestamp 109279063 538194387>
15:57:32.446238 IP client.43278 > router.ftp: P 14:32(18) ack 127 win
1460 <nop,nop,timestamp 538194415 109279063>
15:57:32.461960 IP router.ftp > client.43278: P 127:155(28) ack 32 win
1448 <nop,nop,timestamp 109279068 538194415>
15:57:32.502703 IP client.43278 > router.ftp: . ack 155 win 1460
<nop,nop,timestamp 538194471 109279068>

root@router:~# tcpdump -i tun0
listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
15:57:01.948253 IP client.43278 > server.ftp: S
2612647763:2612647763(0) win 5840 <mss 1460,sackOK,timestamp 538163918
0,nop,wscale 2>
15:57:01.951289 IP server.ftp > client.43278: S
3833629446:3833629446(0) ack 2612647764 win 5792 <sackOK,timestamp
109271440 538163918,mss 1460,nop,wscale 2>
15:57:01.951626 IP client.43278 > server.ftp: . ack 1 win 1460
<nop,nop,timestamp 538163921 109271440>
15:57:01.963271 IP server.36897 > client.auth: S
3840123331:3840123331(0) win 5840 <sackOK,timestamp 109271443 0,mss
1460,nop,wscale 2>
15:57:04.959422 IP server.36897 > client.auth: S
3840123331:3840123331(0) win 5840 <sackOK,timestamp 109272193 0,mss
1460,nop,wscale 2>
15:57:10.959785 IP server.36897 > client.auth: S
3840123331:3840123331(0) win 5840 <sackOK,timestamp 109273693 0,mss
1460,nop,wscale 2>
15:57:22.964568 IP server.36897 > client.auth: S
3840123331:3840123331(0) win 5840 <sackOK,timestamp 109276693 0,mss
1460,nop,wscale 2>
15:57:32.417840 IP server.ftp > client.43278: P 1:99(98) ack 1 win
1448 <nop,nop,timestamp 109279056 538163921>
15:57:32.418195 IP client.43278 > server.ftp: . ack 99 win 1460
<nop,nop,timestamp 538194387 109279056>
15:57:32.418213 IP client.43278 > server.ftp: P 1:14(13) ack 99 win
1460 <nop,nop,timestamp 538194387 109279056>
15:57:32.421924 IP server.ftp > client.43278: . ack 14 win 1448
<nop,nop,timestamp 109279057 538194387>
15:57:32.445824 IP server.ftp > client.43278: P 99:127(28) ack 14 win
1448 <nop,nop,timestamp 109279063 538194387>
15:57:32.446250 IP client.43278 > server.ftp: P 14:32(18) ack 127 win
1460 <nop,nop,timestamp 538194415 109279063>
15:57:32.461933 IP server.ftp > client.43278: P 127:155(28) ack 32 win
1448 <nop,nop,timestamp 109279068 538194415>
15:57:32.502736 IP client.43278 > server.ftp: . ack 155 win 1460
<nop,nop,timestamp 538194471 109279068>


my iptable rules are:

iptables -F
iptables -t nat -F
#FTP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT
--to-destination server:21 -v
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20 -j DNAT
--to-destination server:20 -v
#Telnet
iptables -t nat -A PREROUTING -i $ext_dev -p tcp --dport 23 -j DNAT
--to-destination server:23 -v
#ip forward
echo "1" > /proc/sys/net/ipv4/ip_forward


root@router:~# iptables -V
iptables v1.3.6

root@router:~# uname -a
Linux dt4k042 2.6.24.7-DTSG-0.0.15 #2 SMP Thu Oct 30 12:20:46 CET 2008
i686 GNU/Linux

telnet is working fine, while i got this unforwarded messages from the
server (server.36897 > client.auth).

any idea?

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: ftp and nat
  2009-05-27 11:48 ftp and nat matthias
@ 2009-05-27 12:13 ` Thomas Jacob
  2009-06-03 11:17   ` matthias
  0 siblings, 1 reply; 3+ messages in thread
From: Thomas Jacob @ 2009-05-27 12:13 UTC (permalink / raw)
  To: matthias; +Cc: netfilter

On Wed, 2009-05-27 at 13:48 +0200, matthias wrote:
> Hi all,
> 
> i have a network like this:
> client <-> router <-> server
> 
> the router is linked via eth0 to the client-network and via tun0 to the server.
> when i try to log from the client into the server via ftp I get a
> delay of about 30 seconds.
> does anyone tell me why, is it, that iptables doesn't support active ftp?
> 
> here are tcpdump extracts taken by the router:
> 
> root@router# tcpdump -i eth0
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:57:01.949614 IP client.43278 > router.ftp: S
> 2612647763:2612647763(0) win 5840 <mss 1460,sackOK,timestamp 538163918
> 0,nop,wscale 2>
> 15:57:01.951314 IP router.ftp > client.43278: S
> 3833629446:3833629446(0) ack 2612647764 win 5792 <sackOK,timestamp
> 109271440 538163918,mss 1460,nop,wscale 2>
> 15:57:01.951615 IP client.43278 > router.ftp: . ack 1 win 1460
> <nop,nop,timestamp 538163921 109271440>

3 way handshake is complete here

> 15:57:32.417873 IP router.ftp > client.43278: P 1:99(98) ack 1 win
> 1448 <nop,nop,timestamp 109279056 538163921>

And then your router does not send the FTP ready message for about
30s, at this point nothing FTP specific has yet taken place.

Suggest you look into your "ident"-checks in the FTP server config
and disable them.

Once you get the FTP prompt right away, don't forget to load the FTP
support modules for iptables/NAT:
 
  modprobe nf_conntrack_ftp
  modprobe nf_nat_ftp
 


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: ftp and nat
  2009-05-27 12:13 ` Thomas Jacob
@ 2009-06-03 11:17   ` matthias
  0 siblings, 0 replies; 3+ messages in thread
From: matthias @ 2009-06-03 11:17 UTC (permalink / raw)
  To: Thomas Jacob; +Cc: netfilter

Hi all,

2009/5/27 Thomas Jacob <jacob@internet24.de>:
> On Wed, 2009-05-27 at 13:48 +0200, matthias wrote:
>> Hi all,
>>
>> i have a network like this:
>> client <-> router <-> server
>>
>> the router is linked via eth0 to the client-network and via tun0 to the server.
>> when i try to log from the client into the server via ftp I get a
>> delay of about 30 seconds.
>> does anyone tell me why, is it, that iptables doesn't support active ftp?
>>
>> here are tcpdump extracts taken by the router:
>>
>> root@router# tcpdump -i eth0
>> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>> 15:57:01.949614 IP client.43278 > router.ftp: S
>> 2612647763:2612647763(0) win 5840 <mss 1460,sackOK,timestamp 538163918
>> 0,nop,wscale 2>
>> 15:57:01.951314 IP router.ftp > client.43278: S
>> 3833629446:3833629446(0) ack 2612647764 win 5792 <sackOK,timestamp
>> 109271440 538163918,mss 1460,nop,wscale 2>
>> 15:57:01.951615 IP client.43278 > router.ftp: . ack 1 win 1460
>> <nop,nop,timestamp 538163921 109271440>
>
> 3 way handshake is complete here
>
>> 15:57:32.417873 IP router.ftp > client.43278: P 1:99(98) ack 1 win
>> 1448 <nop,nop,timestamp 109279056 538163921>
>
> And then your router does not send the FTP ready message for about
> 30s, at this point nothing FTP specific has yet taken place.
>
> Suggest you look into your "ident"-checks in the FTP server config
> and disable them.
>
> Once you get the FTP prompt right away, don't forget to load the FTP
> support modules for iptables/NAT:
>
>  modprobe nf_conntrack_ftp
>  modprobe nf_nat_ftp

Firstly I missed to caputer auth communication on eth0. After changing
the tcpdump call (tcpdump -i eth0 port ftp or port ftp-data or port
auth) I recongnized, that the auth-messages from the server are
delivered to the client without changing the corresponding ip adress,
so that the client received a auth-request with source-ip=server.
I think this happens due to the fact that iptables couldn't recognize
the answer of the server, because it uses a different port.

As a workaround I added the folowing rule to my iptables initalization script:
iptables -A FORWARD -i tun0 -o eth0 -p tcp --dport 113 -j REJECT -v

So that I get a ftp prompt right away. Seems as if the FTP server
doesn't have any config flag to disable ident-checks.

Thanks,
Matthias

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-06-03 11:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-05-27 11:48 ftp and nat matthias
2009-05-27 12:13 ` Thomas Jacob
2009-06-03 11:17   ` matthias

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.