Raimonds Cicans
2014-Jul-24 23:18 UTC
DNAT FTP from non standard port to standard port & passive FTP connections
Hello. Short version: should rule like below work with passive FTP connections (from Shorewall / nf_conntrack_ftp point of view)? DNAT inet dmz:somehost:21 tcp someport Long version: First I want to apologize for not posting all required data. This data contains sensitive information. So I will try to describe situation as mush as possible. shorewall version: 4.5.18 kernel version: 3.12.21 /etc/modprobe.d/ftp.conf: options nf_conntrack_ftp ports=21,24354 /sys/module/nf_conntrack_ftp/parameters/ports: 21,24354 /etc/shorewall/policy: inet all DROP info /etc/shorewall/rules: DNAT inet dmz:somehost:21 tcp 24354 Problem: command connections go to FTP server flawlessly but data connections get dropped by Shorewall Previous administrator sad it worked some time ago. I tried to set nf_conntrack_ftp parameter "loose" to 1, but this did not help. When I will get access to FTP server I will try to set its port to 24354 FTP client logs show that server send its internal address as address for data connections. It looks like problem with nf_conntrack_ftp module... Raimonds Cicans ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds