Hi, i have the next configuration. 2000 (172.17.1.5) <---->(172.17.1.1)FW[Fedora Core 1] (192.168.1.102) <--> router no comment about the router. Router is set to one to one nat =/. well. when set DNAT for FTP to 2000 , ftp to 2000 work well. When set another port for FTP like 2121 to FW connect but say Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 500 EPSV not understood 227 Entering Passive Mode (192,168,1,102,246,79). and timeout. for port 2121 rule is ACCEPT or maybe REDIRECT i think so. aps.. modify modules for ip_nat_ftp=21,2121 and ip_conntrack_ftp=21,2121 but nothing. any idea ?
On Tuesday 06 January 2004 04:42 am, Rodrigo Cortes Cano wrote:> Hi, i have the next configuration. > > > > 2000 (172.17.1.5) <---->(172.17.1.1)FW[Fedora Core 1] (192.168.1.102) <--> > router > > no comment about the router. Router is set to one to one nat =/. > > > well. > > when set DNAT for FTP to 2000 , ftp to 2000 work well. When set another > port for FTP like 2121 to FW connect but say > > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> dir > 500 EPSV not understood > 227 Entering Passive Mode (192,168,1,102,246,79).Clearly your internet client can''t connect directly with a server at IP address 192.168.1.102 so the PASV response isn''t being altered by one of the server-side routers.> > and timeout. > > for port 2121 rule is ACCEPT or maybe REDIRECT i think so. > > aps.. modify modules for ip_nat_ftp=21,2121 and ip_conntrack_ftp=21,2121 > but nothing. > > > any idea ?ALL routers doing NAT on the client side must alter the FTP command stream when doing ACTIVE mode FTP and ALL routers doing NAT on the server side must alter the FTP command stream when doing PASSIVE mode FTP. So the router that you don''t comment about needs to understand that 2121 is an FTP port also... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
if ftp port for 2000 is another port like 2121 and ftp port is standar for linux , linux (FW) work fine, but not ftp in 2000. is possible any solution for this case? i dont have access to router. RCC Mensaje citado por Tom Eastep <teastep@shorewall.net>:> On Tuesday 06 January 2004 04:42 am, Rodrigo Cortes Cano wrote: > > Hi, i have the next configuration. > > > > > > > > 2000 (172.17.1.5) <---->(172.17.1.1)FW[Fedora Core 1] (192.168.1.102) > <--> > > router > > > > no comment about the router. Router is set to one to one nat =/. > > > > > > well. > > > > when set DNAT for FTP to 2000 , ftp to 2000 work well. When set another > > port for FTP like 2121 to FW connect but say > > > > Remote system type is UNIX. > > Using binary mode to transfer files. > > ftp> dir > > 500 EPSV not understood > > 227 Entering Passive Mode (192,168,1,102,246,79). > > Clearly your internet client can''t connect directly with a server at IP > address 192.168.1.102 so the PASV response isn''t being altered by one of the > > server-side routers. > > > > > and timeout. > > > > for port 2121 rule is ACCEPT or maybe REDIRECT i think so. > > > > aps.. modify modules for ip_nat_ftp=21,2121 and ip_conntrack_ftp=21,2121 > > but nothing. > > > > > > any idea ? > > ALL routers doing NAT on the client side must alter the FTP command stream > when doing ACTIVE mode FTP and ALL routers doing NAT on the server side must > > alter the FTP command stream when doing PASSIVE mode FTP. So the router that > > you don''t comment about needs to understand that 2121 is an FTP port > also... > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > >
On Tuesday 06 January 2004 10:50 am, Rodrigo Cortes Cano wrote:> if ftp port for 2000 is another port like 2121 and ftp port is standar for > linux , linux (FW) work fine, but not ftp in 2000. > is possible any solution for this case? > > i dont have access to router.Then there is no solution. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net