netfilter buglog - Jul 2003 - [Bug 114] New: NAT on ftp with 2.4.21 does not forward FXP connections

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=114

           Summary: NAT on ftp with 2.4.21 does not forward FXP connections
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: netfilter hooks
        AssignedTo: laforge@netfilter.org
        ReportedBy: sbdep@woot.net
                CC: netfilter-buglog@lists.netfilter.org


I recently upgraded the hardware on my gateway and when I did this, I upgraded
the kernel I was using for the gateway to 2.4.21 from 2.4.20 on the old machine.
One of the things I was doing was forwarding an ftp server to another system in
my house.  For some reason, I could access the server in both active and passive
mode, however, his friend who uses the ugly FXP hack, could not get uploads to
work to the server being NATed.  

Downgrading the gateway to 2.4.20 caused the problem to go away and FXP
transfers could occur again.

The following is the active modules list with 2.4.20 and the script I use to set
up iptables.

root@scabies:/# lsmod
Module                  Size  Used by    Not tainted
ip_nat_ftp              2928   0  (unused)
ipt_MASQUERADE          1208   1  (autoclean)
ipt_state                536   1  (autoclean)
iptable_nat            14798   2  (autoclean) [ip_nat_ftp ipt_MASQUERADE]
ip_conntrack_irc        2960   0  (unused)
ip_conntrack_ftp        3888   1
ppp_deflate             3256   0  (autoclean)
zlib_deflate           18136   0  (autoclean) [ppp_deflate]
bsd_comp                4376   0  (autoclean)
ppp_async               7264   1  (autoclean)
serial                 26176   0  (autoclean)


root@scabies:/etc/ppp/ip-up.d# cat  firewall-start
#!/bin/sh
firewall=ppp0
if [ "x$PPP_IFACE" = "x$firewall" ]; then
 
 
        ##Modules needed
 
        modprobe ip_conntrack_ftp;
        modprobe ip_conntrack_irc;
        modprobe ip_nat_ftp;
        modprobe ip_nat_irc;
 
        iptables -t nat -F;
 
        #iptables -t nat -A PREROUTING -d $PPP_LOCAL -p tcp --dport 80 -j DNAT
--to 192.168.1.3:80;
        #iptables -t nat -A POSTROUTING -d 192.168.1.3 -s 192.168.1.0/24 -p tcp
--dport 80 -j SNAT --to 192.168.1.1;
                                                                               
                                      
        ##Dennis 8074 -> 8074
        iptables -t nat -A PREROUTING -d $PPP_LOCAL -p tcp --dport 8074 -j DNAT
--to 192.168.1.23:8074;
        iptables -t nat -A POSTROUTING -d 192.168.1.23 -s 192.168.1.0/24 -p tcp
--dport 8074 -j SNAT --to 192.168.1.1;
 
 
        ##Jerome ftp
        iptables -t nat -A PREROUTING -d $PPP_LOCAL -p tcp --dport 21 -m state
--state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.42:21;
 
 
        ## Internet Sharing
        iptables -t nat -A POSTROUTING -o $firewall -j MASQUERADE;
fi


This is the exact same script as I used with 2.4.21.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.