I have a PC router that runs Ubuntu Server 7.04 (kernel version 2.6.20-15-server) and Shorewall (latest version) as a firewall. On one of computers connected to it I run a FTP server. the problem is i cannot connect to it from outside. The ftp server is set up using serv-u. the port used for ftp is 50005 and the ip of that computer is 192.168.0.3. i can however connect to it from another computer on LAN. here are my rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT(S) PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW SSH/ACCEPT all $FW Webmin/ACCEPT all $FW DNS/ACCEPT loc fw Ping/ACCEPT loc all Ping/REJECT:info all $FW Ping/ACCEPT $FW all DNAT net loc:192.168.0.3 tcp 50000:50005 DNAT net loc:192.168.0.3 udp 50000:50005 NTP/ACCEPT all all ports 50000-50004 are used for torrents, ed2k and a couple of other things, which work fine. what am i missing here? modules nf_nat_ftp and nf_conntrack_ftp are loaded. I''ve been dealing with this for a couple of months now and i don''t know what else to try. Please help me! Ziga ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Ziga Milek wrote:> I have a PC router that runs Ubuntu Server 7.04 (kernel version > 2.6.20-15-server) and Shorewall (latest version) as a firewall. On one of > computers connected to it I run a FTP server. the problem is i cannot > connect to it from outside. The ftp server is set up using serv-u. the port > used for ftp is 50005 and the ip of that computer is 192.168.0.3. i can > however connect to it from another computer on LAN. here are my rules: > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT(S) PORT(S) > DEST LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > SECTION NEW > SSH/ACCEPT all $FW > Webmin/ACCEPT all $FW > DNS/ACCEPT loc fw > Ping/ACCEPT loc all > Ping/REJECT:info all $FW > Ping/ACCEPT $FW all > DNAT net loc:192.168.0.3 tcp 50000:50005 > DNAT net loc:192.168.0.3 udp 50000:50005 > NTP/ACCEPT all all > > ports 50000-50004 are used for torrents, ed2k and a couple of other things, > which work fine. what am i missing here? modules nf_nat_ftp and > nf_conntrack_ftp are loaded. I''ve been dealing with this for a couple of > months now and i don''t know what else to try. Please help me! > > Ziga >Have a look the non-standard ports section of http://www.shorewall.net/FTP.html Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
As a matter of fact i thought of the unusual port choice causing the problem and switched the ftp port back to 21 and added ''FTP/DNAT all loc:192.168.0.3'' rule and the problem persists. Any other idea? -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Thursday, September 06, 2007 12:31 PM To: Shorewall Users Subject: Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall Ziga Milek wrote:> I have a PC router that runs Ubuntu Server 7.04 (kernel version > 2.6.20-15-server) and Shorewall (latest version) as a firewall. On one of > computers connected to it I run a FTP server. the problem is i cannot > connect to it from outside. The ftp server is set up using serv-u. theport> used for ftp is 50005 and the ip of that computer is 192.168.0.3. i can > however connect to it from another computer on LAN. here are my rules: > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT(S) PORT(S) > DEST LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > SECTION NEW > SSH/ACCEPT all $FW > Webmin/ACCEPT all $FW > DNS/ACCEPT loc fw > Ping/ACCEPT loc all > Ping/REJECT:info all $FW > Ping/ACCEPT $FW all > DNAT net loc:192.168.0.3 tcp 50000:50005 > DNAT net loc:192.168.0.3 udp 50000:50005 > NTP/ACCEPT all all > > ports 50000-50004 are used for torrents, ed2k and a couple of otherthings,> which work fine. what am i missing here? modules nf_nat_ftp and > nf_conntrack_ftp are loaded. I''ve been dealing with this for a couple of > months now and i don''t know what else to try. Please help me! > > Ziga >Have a look the non-standard ports section of http://www.shorewall.net/FTP.html Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Ziga Milek wrote:> As a matter of fact i thought of the unusual port choice causing the problem > and switched the ftp port back to 21 and added ''FTP/DNAT all > loc:192.168.0.3'' rule and the problem persists. Any other idea? >After shorewall start do an iptables-save > file and look if rules are correct (text search for DNAT). Also ACCEPT rule has to be in file for the ports 50000- Perhaps add the your external IP to the source field in the DNAT entry DNAT net loc:192.168.0.3 tcp 50000:50005 [your net ip]> -----Original Message----- > From: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Jerry > Vonau > Sent: Thursday, September 06, 2007 12:31 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall > > Ziga Milek wrote: > >> I have a PC router that runs Ubuntu Server 7.04 (kernel version >> 2.6.20-15-server) and Shorewall (latest version) as a firewall. On one of >> computers connected to it I run a FTP server. the problem is i cannot >> connect to it from outside. The ftp server is set up using serv-u. the >> > port > >> used for ftp is 50005 and the ip of that computer is 192.168.0.3. i can >> however connect to it from another computer on LAN. here are my rules: >> >> #ACTION SOURCE DEST PROTO DEST SOURCE >> ORIGINAL RATE USER/ >> # PORT(S) PORT(S) >> DEST LIMIT GROUP >> #SECTION ESTABLISHED >> #SECTION RELATED >> SECTION NEW >> SSH/ACCEPT all $FW >> Webmin/ACCEPT all $FW >> DNS/ACCEPT loc fw >> Ping/ACCEPT loc all >> Ping/REJECT:info all $FW >> Ping/ACCEPT $FW all >> DNAT net loc:192.168.0.3 tcp 50000:50005 >> DNAT net loc:192.168.0.3 udp 50000:50005 >> NTP/ACCEPT all all >> >> ports 50000-50004 are used for torrents, ed2k and a couple of other >> > things, > >> which work fine. what am i missing here? modules nf_nat_ftp and >> nf_conntrack_ftp are loaded. I''ve been dealing with this for a couple of >> months now and i don''t know what else to try. Please help me! >> >> Ziga >> >> > Have a look the non-standard ports section of > http://www.shorewall.net/FTP.html > > Jerry > >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Ziga Milek wrote:> As a matter of fact i thought of the unusual port choice causing the problem > and switched the ftp port back to 21 and added ''FTP/DNAT all > loc:192.168.0.3'' rule and the problem persists. Any other idea?Have you consulted http://www.shorewall.net/FTP.html ? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> Ziga Milek wrote: >> As a matter of fact i thought of the unusual port choice causing the problem >> and switched the ftp port back to 21 and added ''FTP/DNAT all >> loc:192.168.0.3'' rule and the problem persists. Any other idea? > > Have you consulted http://www.shorewall.net/FTP.html ? >Oops -- I see that you mentioned that article in an earlier post. What is failing? The initial control connections or operations like ''ls'' that require a data connection? Your post sounds like it is the initial control connection in which case you need to follow the DNAT troubleshooting tips in Shorewall FAQs 1a and 1b. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
When i try to connect to it using flashfxp it says: [22:16:11] WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005 [22:16:17] [R] Connecting to cauchy.homeip.net -> DNS=cauchy.homeip.net IP=89.212.9.43 PORT=21 [22:16:18] [R] Connection failed (Connection refused) [22:16:18] [R] Delaying for 120 seconds before reconnect attempt #1 I don''t think it''s the dnat causing the problem because torrents and ed2k and some other things work fine (on ports 50000-50004). And also if i use utorrent port checker on port 21 (http://www.utorrent.com/testport.php?port=21) it says that it''s open and accepting connections. It has to be something speceific to ftp. Here is the complete output of iptables-save if it helps: # Generated by iptables-save v1.3.6 on Thu Sep 6 22:05:23 2007 *raw :PREROUTING ACCEPT [10299443:6842649469] :OUTPUT ACCEPT [6300:1508171] COMMIT # Completed on Thu Sep 6 22:05:23 2007 # Generated by iptables-save v1.3.6 on Thu Sep 6 22:05:23 2007 *nat :PREROUTING ACCEPT [73077:4323725] :POSTROUTING ACCEPT [474484:30117358] :OUTPUT ACCEPT [350:28305] :eth1_masq - [0:0] :net_dnat - [0:0] -A PREROUTING -i eth1 -j net_dnat -A POSTROUTING -o eth1 -j eth1_masq -A OUTPUT -p tcp -m tcp --dport 50000:50010 -j DNAT --to-destination 192.168.0.3 -A OUTPUT -p udp -m udp --dport 50000:50010 -j DNAT --to-destination 192.168.0.3 -A OUTPUT -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.3 -A eth1_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE -A net_dnat -p tcp -m tcp --dport 50000:50010 -j DNAT --to-destination 192.168.0.3 -A net_dnat -p udp -m udp --dport 50000:50010 -j DNAT --to-destination 192.168.0.3 -A net_dnat -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.3 COMMIT # Completed on Thu Sep 6 22:05:23 2007 # Generated by iptables-save v1.3.6 on Thu Sep 6 22:05:23 2007 *mangle :PREROUTING ACCEPT [10299485:6842699601] :INPUT ACCEPT [10793:1610545] :FORWARD ACCEPT [10288660:6841074263] :OUTPUT ACCEPT [42345:8301662] :POSTROUTING ACCEPT [10294924:6842547103] :tcfor - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -j tcpre -A FORWARD -j tcfor -A OUTPUT -j tcout -A POSTROUTING -j tcpost COMMIT # Completed on Thu Sep 6 22:05:23 2007 # Generated by iptables-save v1.3.6 on Thu Sep 6 22:05:23 2007 *filter :INPUT DROP [8:460] :FORWARD DROP [22:22814] :OUTPUT DROP [0:0] :Drop - [0:0] :Reject - [0:0] :all2all - [0:0] :blacklst - [0:0] :dropBcast - [0:0] :dropInvalid - [0:0] :dropNotSyn - [0:0] :dynamic - [0:0] :eth0_fwd - [0:0] :eth0_in - [0:0] :eth0_out - [0:0] :eth1_fwd - [0:0] :eth1_in - [0:0] :eth1_out - [0:0] :fw2all - [0:0] :fw2loc - [0:0] :fw2net - [0:0] :loc2all - [0:0] :loc2fw - [0:0] :loc2net - [0:0] :logdrop - [0:0] :logflags - [0:0] :logreject - [0:0] :net2all - [0:0] :net2fw - [0:0] :net2loc - [0:0] :norfc1918 - [0:0] :reject - [0:0] :rfc1918 - [0:0] :shorewall - [0:0] :smurfs - [0:0] :tcpflags - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j eth0_in -A INPUT -i eth1 -j eth1_in -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j Reject -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6 -A INPUT -j reject -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i eth0 -j eth0_fwd -A FORWARD -i eth1 -j eth1_fwd -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j Reject -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6 -A FORWARD -j reject -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j eth0_out -A OUTPUT -o eth1 -j eth1_out -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -j ACCEPT -A Drop -p tcp -m tcp --dport 113 -j reject -A Drop -j dropBcast -A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Drop -j dropInvalid -A Drop -p udp -m multiport --dports 135,445 -j DROP -A Drop -p udp -m udp --dport 137:139 -j DROP -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP -A Drop -p tcp -m multiport --dports 135,139,445 -j DROP -A Drop -p udp -m udp --dport 1900 -j DROP -A Drop -p tcp -j dropNotSyn -A Drop -p udp -m udp --sport 53 -j DROP -A Reject -p tcp -m tcp --dport 113 -j reject -A Reject -j dropBcast -A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Reject -j dropInvalid -A Reject -p udp -m multiport --dports 135,445 -j reject -A Reject -p udp -m udp --dport 137:139 -j reject -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject -A Reject -p tcp -m multiport --dports 135,139,445 -j reject -A Reject -p udp -m udp --dport 1900 -j DROP -A Reject -p tcp -j dropNotSyn -A Reject -p udp -m udp --sport 53 -j DROP -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A all2all -j Reject -A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6 -A all2all -j reject -A blacklst -s 65.204.61.101 -j DROP -A blacklst -s 221.122.51.250 -j DROP -A blacklst -s 130.94.69.122 -j DROP -A dropBcast -m pkttype --pkt-type broadcast -j DROP -A dropBcast -m pkttype --pkt-type multicast -j DROP -A dropInvalid -m state --state INVALID -j DROP -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A eth0_fwd -m state --state INVALID,NEW -j dynamic -A eth0_fwd -m state --state INVALID,NEW -j smurfs -A eth0_fwd -p tcp -j tcpflags -A eth0_fwd -s 192.168.0.0/255.255.255.0 -o eth1 -j loc2net -A eth0_in -m state --state INVALID,NEW -j dynamic -A eth0_in -m state --state INVALID,NEW -j smurfs -A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT -A eth0_in -p tcp -j tcpflags -A eth0_in -s 192.168.0.0/255.255.255.0 -j loc2fw -A eth0_out -p udp -m udp --dport 67:68 -j ACCEPT -A eth0_out -d 192.168.0.0/255.255.255.0 -j fw2loc -A eth0_out -d 255.255.255.255 -j fw2loc -A eth0_out -d 224.0.0.0/240.0.0.0 -j fw2loc -A eth1_fwd -m state --state INVALID,NEW -j dynamic -A eth1_fwd -m state --state INVALID,NEW -j blacklst -A eth1_fwd -m state --state INVALID,NEW -j smurfs -A eth1_fwd -m state --state NEW -j norfc1918 -A eth1_fwd -p tcp -j tcpflags -A eth1_fwd -d 192.168.0.0/255.255.255.0 -o eth0 -j net2loc -A eth1_in -m state --state INVALID,NEW -j dynamic -A eth1_in -m state --state INVALID,NEW -j blacklst -A eth1_in -m state --state INVALID,NEW -j smurfs -A eth1_in -p udp -m udp --dport 67:68 -j ACCEPT -A eth1_in -m state --state NEW -j norfc1918 -A eth1_in -p tcp -j tcpflags -A eth1_in -j net2fw -A eth1_out -p udp -m udp --dport 67:68 -j ACCEPT -A eth1_out -j fw2net -A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2all -j ACCEPT -A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT -A fw2loc -d 192.168.0.3 -p tcp -m tcp --dport 50000:50010 -j ACCEPT -A fw2loc -d 192.168.0.3 -p udp -m udp --dport 50000:50010 -j ACCEPT -A fw2loc -d 192.168.0.3 -p tcp -m tcp --dport 21 -j ACCEPT -A fw2loc -p udp -m udp --dport 123 -j ACCEPT -A fw2loc -j fw2all -A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2net -p icmp -m icmp --icmp-type 8 -j ACCEPT -A fw2net -p udp -m udp --dport 123 -j ACCEPT -A fw2net -j fw2all -A loc2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2all -j ACCEPT -A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 10000 -j ACCEPT -A loc2fw -p udp -m udp --dport 53 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 53 -j ACCEPT -A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT -A loc2fw -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 6 -A loc2fw -p icmp -m icmp --icmp-type 8 -j reject -A loc2fw -p udp -m udp --dport 123 -j ACCEPT -A loc2fw -j loc2all -A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2net -p icmp -m icmp --icmp-type 8 -j ACCEPT -A loc2net -p udp -m udp --dport 123 -j ACCEPT -A loc2net -j loc2all -A logdrop -j LOG --log-prefix "Shorewall:logdrop:DROP:" --log-level 6 -A logdrop -j DROP -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 -A logflags -j DROP -A logreject -j LOG --log-prefix "Shorewall:logreject:REJECT:" --log-level 6 -A logreject -j reject -A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2all -j Reject -A net2all -j LOG --log-prefix "Shorewall:net2all:REJECT:" --log-level 6 -A net2all -j reject -A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2fw -p tcp -m tcp --dport 22 -j ACCEPT -A net2fw -p tcp -m tcp --dport 10000 -j ACCEPT -A net2fw -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "Shorewall:net2fw:REJECT:" --log-level 6 -A net2fw -p icmp -m icmp --icmp-type 8 -j reject -A net2fw -p udp -m udp --dport 123 -j ACCEPT -A net2fw -j net2all -A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2loc -d 192.168.0.3 -p tcp -m tcp --dport 50000:50010 -j ACCEPT -A net2loc -d 192.168.0.3 -p udp -m udp --dport 50000:50010 -j ACCEPT -A net2loc -d 192.168.0.3 -p tcp -m tcp --dport 21 -j ACCEPT -A net2loc -p udp -m udp --dport 123 -j ACCEPT -A net2loc -j net2all -A norfc1918 -s 172.16.0.0/255.240.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918 -A norfc1918 -s 192.168.0.0/255.255.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918 -A norfc1918 -s 10.0.0.0/255.0.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918 -A reject -m pkttype --pkt-type broadcast -j DROP -A reject -m pkttype --pkt-type multicast -j DROP -A reject -s 255.255.255.255 -j DROP -A reject -s 224.0.0.0/240.0.0.0 -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A rfc1918 -j LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level 6 -A rfc1918 -j DROP -A smurfs -s 192.168.0.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 192.168.0.255 -j DROP -A smurfs -s 89.212.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 89.212.255.255 -j DROP -A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 255.255.255.255 -j DROP -A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 224.0.0.0/240.0.0.0 -j DROP -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags COMMIT # Completed on Thu Sep 6 22:05:23 2007 I can''t figure anything out out of this output. Any one can? Is it possible to see what''s causing the problem? -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, September 06, 2007 3:53 PM To: Shorewall Users Subject: Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall Tom Eastep wrote:> Ziga Milek wrote: >> As a matter of fact i thought of the unusual port choice causing the >> problem and switched the ftp port back to 21 and added ''FTP/DNAT all >> loc:192.168.0.3'' rule and the problem persists. Any other idea? > > Have you consulted http://www.shorewall.net/FTP.html ? >Oops -- I see that you mentioned that article in an earlier post. What is failing? The initial control connections or operations like ''ls'' that require a data connection? Your post sounds like it is the initial control connection in which case you need to follow the DNAT troubleshooting tips in Shorewall FAQs 1a and 1b. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Ziga Milek wrote:> When i try to connect to it using flashfxp it says: > > [22:16:11] WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005 > [22:16:17] [R] Connecting to cauchy.homeip.net -> DNS=cauchy.homeip.net > IP=89.212.9.43 PORT=21 > [22:16:18] [R] Connection failed (Connection refused) > [22:16:18] [R] Delaying for 120 seconds before reconnect attempt #1 > > I don''t think it''s the dnat causing the problem because torrents and ed2k > and some other things work fine (on ports 50000-50004). And also if i use > utorrent port checker on port 21 > (http://www.utorrent.com/testport.php?port=21) it says that it''s open and > accepting connections. It has to be something speceific to ftp.At the risk of repeating myself, you need to follow the DNAT troubleshooting tips in Shorewall FAQs 1a and 1b.> Here is the complete output of iptables-save if it helps:I don''t think this has anything to do with iptables/netfilter/Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> Ziga Milek wrote: >> When i try to connect to it using flashfxp it says: >> >> [22:16:11] WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005 >> [22:16:17] [R] Connecting to cauchy.homeip.net -> DNS=cauchy.homeip.net >> IP=89.212.9.43 PORT=21 >> [22:16:18] [R] Connection failed (Connection refused) >> [22:16:18] [R] Delaying for 120 seconds before reconnect attempt #1 >> >> I don''t think it''s the dnat causing the problem because torrents and ed2k >> and some other things work fine (on ports 50000-50004). And also if i use >> utorrent port checker on port 21 >> (http://www.utorrent.com/testport.php?port=21) it says that it''s open and >> accepting connections. It has to be something speceific to ftp. > > At the risk of repeating myself, you need to follow the DNAT > troubleshooting tips in Shorewall FAQs 1a and 1b.And please use a simple line mode FTP client so you know which connection is failing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Ziga Milek wrote:> When i try to connect to it using flashfxp it says: > > [22:16:11] WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005 > [22:16:17] [R] Connecting to cauchy.homeip.net -> DNS=cauchy.homeip.net > IP=89.212.9.43 PORT=21 > [22:16:18] [R] Connection failed (Connection refused) > [22:16:18] [R] Delaying for 120 seconds before reconnect attempt #1 > > I don''t think it''s the dnat causing the problem because torrents and ed2k > and some other things work fine (on ports 50000-50004). And also if i use > utorrent port checker on port 21 > (http://www.utorrent.com/testport.php?port=21) it says that it''s open and > accepting connections. It has to be something speceific to ftp. Here is the > complete output of iptables-save if it helps: ><snip>> -A net_dnat -p tcp -m tcp --dport 50000:50010 -j DNAT --to-destination > 192.168.0.3 > -A net_dnat -p udp -m udp --dport 50000:50010 -j DNAT --to-destination > 192.168.0.3 > -A net_dnat -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.3Where are you testing from? If your using a machine that is on your local lan, that will never work unless you state the "original destination" in your DNAT rule, like what was posted earlier for you and follow the rest of FAQ 2.>From here I get a connection:[jerry@squid jerry]#ftp cauchy.homeip.net Connected to cauchy.homeip.net (89.212.9.43). 220 Serv-U FTP Server v6.3 for WinSock ready... Name (cauchy.homeip.net:jerry): The other problem is that the ftp server is bannering the wrong ip address/name, that will break the netfilter helper modules if you do that. You should not set that to what your public ip address/dns name is. This issue is mentioned in the FTP page. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/