Christophe Zwecker
2002-Nov-06 16:14 UTC
[Shorewall-users] ftp port 24562 pasv doesnt work, no logging
Hi, I have a cisco sdsl modem to connect to internet via eth1 (192.168.1.2) local is eth0 (192.168.2.254) default gw is 192.168.1.1 the cisco forwards all incoming ports to 192.168.1.2. I connect from outside on port 24562, login is successfull, the ftpserver gives back the external Ip of the cisco as pasv IP to the client (its a setting in the ftpserver). It gives an ip from the pasv range I defined in the ftpserver out of the pool 3000:4000 However the client gets a socket error when trying to connect to one of the pasv ports. I configured the ftp nat and connection tracking modules with 21,24562 as options. I have this rule as well: ACCEPT net fw:192.168.1.2 tcp 3000:4000 any idea what could cause this error ? a pasv ftp connection to port 21 works btw. I dont see anything logged in the syslog thx alot Chris -- Christophe Zwecker :Sysctl Susannenstr. 26-28 20357 Hamburg phon/fax: +49 40 43099296/7 mail: czwecker@sysctl.de
Christophe Zwecker
2002-Nov-06 17:04 UTC
[Shorewall-users] ftp port 24562 pasv doesnt work, no logging
Hmm it seems that the module doesnt work right:
modprobe ip_nat_ftp ports=24562
/lib/modules/2.4.19-xfs-r2/kernel/net/ipv4/netfilter/ip_nat_ftp.o:
init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters,
including invalid IO or IRQ parameters.
You may find more information in syslog or the output from dmesg
/lib/modules/2.4.19-xfs-r2/kernel/net/ipv4/netfilter/ip_nat_ftp.o:
insmod /lib/modules/2.4.19-xfs-r2/kernel/net/ipv4/netfilter/ip_nat_ftp.o
failed
anyone knows a problem with this ?
On Wed, 2002-11-06 at 17:14, Christophe Zwecker wrote:> Hi,
>
> I have a cisco sdsl modem to connect to internet via eth1 (192.168.1.2)
> local is eth0 (192.168.2.254)
>
> default gw is 192.168.1.1
>
> the cisco forwards all incoming ports to 192.168.1.2.
>
> I connect from outside on port 24562, login is successfull, the
> ftpserver gives back the external Ip of the cisco as pasv IP to the
> client (its a setting in the ftpserver). It gives an ip from the pasv
> range I defined in the ftpserver out of the pool 3000:4000
>
> However the client gets a socket error when trying to connect to one of
> the pasv ports.
>
> I configured the ftp nat and connection tracking modules with 21,24562
> as options.
>
> I have this rule as well:
>
> ACCEPT net fw:192.168.1.2 tcp 3000:4000
>
> any idea what could cause this error ?
>
> a pasv ftp connection to port 21 works btw.
> I dont see anything logged in the syslog
>
> thx alot
>
> Chris
> --
> Christophe Zwecker
> :Sysctl
> Susannenstr. 26-28
> 20357 Hamburg
> phon/fax: +49 40 43099296/7
> mail: czwecker@sysctl.de
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
--
Christophe Zwecker
:Sysctl
Susannenstr. 26-28
20357 Hamburg
phon/fax: +49 40 43099296/7
mail: czwecker@sysctl.de
Christophe Zwecker
2002-Nov-06 17:04 UTC
[Shorewall-users] ftp port 24562 pasv doesnt work, no logging
sorry to reply to myself again, well modprobe ip_nat_ftp ports=21 works no problem. is there an issue with 2.4.19 and that ? On Wed, 2002-11-06 at 18:04, Christophe Zwecker wrote:> Hmm it seems that the module doesnt work right: > modprobe ip_nat_ftp ports=24562 > /lib/modules/2.4.19-xfs-r2/kernel/net/ipv4/netfilter/ip_nat_ftp.o: > init_module: Device or resource busy > Hint: insmod errors can be caused by incorrect module parameters, > including invalid IO or IRQ parameters. > You may find more information in syslog or the output from dmesg > /lib/modules/2.4.19-xfs-r2/kernel/net/ipv4/netfilter/ip_nat_ftp.o: > insmod /lib/modules/2.4.19-xfs-r2/kernel/net/ipv4/netfilter/ip_nat_ftp.o > failed > > anyone knows a problem with this ? > > > On Wed, 2002-11-06 at 17:14, Christophe Zwecker wrote: > > Hi, > > > > I have a cisco sdsl modem to connect to internet via eth1 (192.168.1.2) > > local is eth0 (192.168.2.254) > > > > default gw is 192.168.1.1 > > > > the cisco forwards all incoming ports to 192.168.1.2. > > > > I connect from outside on port 24562, login is successfull, the > > ftpserver gives back the external Ip of the cisco as pasv IP to the > > client (its a setting in the ftpserver). It gives an ip from the pasv > > range I defined in the ftpserver out of the pool 3000:4000 > > > > However the client gets a socket error when trying to connect to one of > > the pasv ports. > > > > I configured the ftp nat and connection tracking modules with 21,24562 > > as options. > > > > I have this rule as well: > > > > ACCEPT net fw:192.168.1.2 tcp 3000:4000 > > > > any idea what could cause this error ? > > > > a pasv ftp connection to port 21 works btw. > > I dont see anything logged in the syslog > > > > thx alot > > > > Chris > > -- > > Christophe Zwecker > > :Sysctl > > Susannenstr. 26-28 > > 20357 Hamburg > > phon/fax: +49 40 43099296/7 > > mail: czwecker@sysctl.de > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@shorewall.net > > http://www.shorewall.net/mailman/listinfo/shorewall-users > -- > Christophe Zwecker > :Sysctl > Susannenstr. 26-28 > 20357 Hamburg > phon/fax: +49 40 43099296/7 > mail: czwecker@sysctl.de-- Christophe Zwecker :Sysctl Susannenstr. 26-28 20357 Hamburg phon/fax: +49 40 43099296/7 mail: czwecker@sysctl.de
Tom Eastep
2002-Nov-07 03:31 UTC
[Shorewall-users] ftp port 24562 pasv doesnt work, no logging
--On Wednesday, November 06, 2002 6:04 PM +0100 Christophe Zwecker <czwecker@sysctl.de> wrote:> sorry to reply to myself again, well modprobe ip_nat_ftp ports=21 works > no problem. is there an issue with 2.4.19 and that ?I suggest that you post on the NetFilter list: netfilter@lists.netfilter.org -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Christophe Zwecker
2002-Nov-07 09:26 UTC
[Shorewall-users] ftp port 24562 pasv doesnt work, no logging
very strange, in the end the ftp server config was missin an "1" after the forced pasv IP, which means onl to give out that IP imho. thx for listening :-) On Thu, 2002-11-07 at 04:31, Tom Eastep wrote:> > > --On Wednesday, November 06, 2002 6:04 PM +0100 Christophe Zwecker > <czwecker@sysctl.de> wrote: > > > sorry to reply to myself again, well modprobe ip_nat_ftp ports=21 works > > no problem. is there an issue with 2.4.19 and that ? > > I suggest that you post on the NetFilter list: netfilter@lists.netfilter.org > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net-- Christophe Zwecker :Sysctl Susannenstr. 26-28 20357 Hamburg phon/fax: +49 40 43099296/7 mail: czwecker@sysctl.de
I have a port forwarding that works fine: DNAT:info net:$TRUSTED loc:10.0.0.2 tcp 5800,5900 Log: Shorewall:net2loc:DNAT:IN=eth1 OUT=eth0 SRC=200.162.4.16 DST=10.0.0.2 ... as long as 10.0.0.2 have the default gateway to fw (10.0.0.1). I need to do the same with another internal host, but it has another GW, that I cannot change. Is there a way to do this, but having the fw to be the SRC for that packet; i.e., the reply will go to fw and then to destination ? Thanks -Gilson