Hello,
My server FC4
eth0 is wan with static IP.
eth1 lan

My iptables rules are as follows :

# Generated by iptables-save v1.2.11 on Wed May 11 11:06:56 2005 *nat
:OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to 6x.xxx.xxx.xx
COMMIT # Completed on Wed May 11 11:06:56 2005 # Generated by
iptables-save v1.2.11 on Wed May 11 11:06:56 2005 *mangle :PREROUTING
ACCEPT [93:9058] :INPUT ACCEPT [85:8650] :FORWARD ACCEPT [8:408] :OUTPUT
ACCEPT [88:8886] :POSTROUTING ACCEPT [95:9218] COMMIT # Completed on Wed
May 11 11:06:56 2005 # Generated by iptables-save v1.2.11 on Wed May 11
11:06:56 2005 *filter :INPUT ACCEPT [85:8650] :FORWARD ACCEPT [8:408]
:OUTPUT ACCEPT [87:8810] -P FORWARD DROP -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -p tcp --dport
25 -j ACCEPT -A FORWARD -i eth1 -o eth0 -p tcp --dport 110 -j ACCEPT -A
FORWARD -p udp --dport 53 -j ACCEPT -A OUTPUT -p udp --dport 53 --sport
1024: -j ACCEPT COMMIT # Completed on Wed May 11 11:06:56 2005

-------------------------- end rules-----------------------------


I am having problems with ftp uploads/downloads for :

ftp.sriaurobindoashram.com

Using gftp from the server :

1. gftp -> ftp->options->ftp->passive all transfer - checked

Gets connected but gets stuck at recieves files names

What could the problem ?
Any rules that I need to add ?

Thanks

Varun

Your output of iptables-save is awfully difficult to read. Why did you drop all those useful linebreaks?

Do you have the netfilter NAT FTP and FTP Connection Tracking kernel modules loaded?
Do you have IP forwarding activated via sysctl?
What does your network configuration details look like on client and server?

Yes, /etc/sysctrl.conf is fine.

I am not very sure and clear about your first point.

The FC4 server is used by clients for send/recieve mails.

" ftp.sriaurobindoashram.com " is on windows 2000 advmaced server
managed by our friend in US.

Actually I am able to connect to other ftp sites and so are the
clients.

Why this site give problem ?

Thanks for your time

Varun

Your network topology is not clear to me at all due to lack of details. Sorry. And since you didn't answer the other questions, I can't even try to help. SNAT and FTP are involved, so much more details about your networking scenario and configuration are needed.

I am not sure about network topography question.

FC4 is server .
eth0 is wan with static IP connected to 514K DSL.
eth1 is lan - 192.168.0.0/24

Clients connect to eth1 of FC4 server for mail, browsing, etc.

" Do you have the netfilter NAT FTP and FTP Connection Tracking kernel modules loaded? "
I don't think so ? Can you explain ?

What I don't understand is why a particular ftp site does
not connect, while others connect ?

Thanks in advance

Varun

Well, I cannot verify whether the ftp server supports passive mode or whether it enforces active mode. In case of the latter, the ftp server would open a connection to your host provided that your ftp client sent him the correct NAT'ed IP address. It doesn't do that if FTP NAT is not enabled. For passive mode, you don't need it.

What output do you get when running "lsmod"? What output do you get when running "cat /etc/sysconfig/iptables-config"?

[With "network topology" I mean the structure of your network. You use the terms "server" and "client" and refer to an ftp server by name, but it seems there is only one relevant Linux host involved in your networking scenario. And that is your FC4 host trying to connect to an ftp server on the Internet.]

FC4 is server .
eth0 is wan with static IP connected to 514K DSL.
eth1 is lan - 192.168.0.0/24

Clients connect to eth1 of FC4 server for mail, browsing, etc.

WAN -----> eth0 - FC4 server - eth1 -----------> clients ( 192.168.0.0/ 24 )
FC4 server is only for sharing internet , mails, etc for clients system.
I do not run any ftp server on ny FC4 server.

My ftp server is on windows 2000 advanced server run by our
friend in US.

From my FC4 server I am able to connect to " ftp.sriaurobindoashram.com "
with " passive files transfer " - unchecked in gftp.
Using " passive files transfer " - checked in gftp it connects and stops at
recieving files names.

So I guess Win2k server does not support passive mode. And we
need to concentrate on non-passive mode.

Now on the client systems with " passive files transfer " - unchecked in gftp.
I get the following error :

Looking up ftp.sriaurobindoashram.com
Trying www.sriaurobindoashram.com:21
Connected to ftp.sriaurobindoashram.com:21
220 ns1 Microsoft FTP Service (Version 5.0).
USER xxxxxxxx

331 Password required for xxxxxxxx.
PASS xxxx
230 User xxxxxxxx logged in.
SYST

215 Windows_NT version 5.0
TYPE I

200 Type set to I.
PWD

257 "/xxxxxxxxx" is current directory.
Loading directory listing /xxxxxxxx from server (LC_TIME=en_US)
PORT 192,168,0,253,4,3

500 Invalid PORT Command.
Invalid response '5' received from server.
Disconnecting from site ftp.sriaurobindoashram.com

Results from lsmod :

[root@saaserver ~]# lsmod
Module Size Used by
i915 19009 1
drm 70101 2 i915
ipt_mac 1857 90
sch_sfq 5825 144
cls_u32 8261 3
sch_htb 18497 3
ipt_MASQUERADE 3265 1
iptable_nat 21917 2 ipt_MASQUERADE
autofs4 29253 2
sunrpc 167813 1
ipt_REJECT 5569 0
ipt_state 1857 0
ip_conntrack 41497 3 ipt_MASQUERADE,iptable_nat,ipt_state
iptable_filter 2881 1
ip_tables 19393 6 ipt_mac,ipt_MASQUERADE,iptable_nat,ipt_REJECT,ip
t_state,iptable_filter
md5 4033 1
ipv6 267841 16
dm_mod 58101 0
video 15941 0
button 6609 0
battery 9413 0
ac 4805 0
uhci_hcd 35153 0
ehci_hcd 41037 0
i2c_i801 8781 0
i2c_core 21569 1 i2c_i801
snd_intel8x0 34689 1
snd_ac97_codec 75961 1 snd_intel8x0
snd_seq_dummy 3653 0
snd_seq_oss 37057 0
snd_seq_midi_event 9153 1 snd_seq_oss
snd_seq 62289 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
snd_seq_device 8781 3 snd_seq_dummy,snd_seq_oss,snd_seq
snd_pcm_oss 51185 0
snd_mixer_oss 17857 1 snd_pcm_oss
snd_pcm 100169 3 snd_intel8x0,snd_ac97_codec,snd_pcm_oss
snd_timer 33605 2 snd_seq,snd_pcm
snd 57157 11 snd_intel8x0,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd _timer
soundcore 10913 1 snd
snd_page_alloc 9669 2 snd_intel8x0,snd_pcm
8139too 30017 0
mii 5441 1 8139too
floppy 65141 0
ext3 132681 5
jbd 86233 1 ext3
--------------------------------------------------------------------------------------------------------------
Results from cat /etc/sysconfig/iptables-config :

[root@saaserver ~]# cat /etc/sysconfig/iptables-config
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
---------------------------------------------------------------------------------------------------------------------------------------

I hope that is a lot of details

Thanks for time

Varun

That's because your FC4 server has a static IP and can be reached from the Internet for an Active FTP transfer.
From the clients in your private LAN, you cannot do Active FTP, since the FTP server could not open a new data connection from into your LAN. It would only reach your FC4 server.
Here you see a private IP from your LAN, which should never appear in the FTP protocol for connections into the Internet.

You need to "modprobe ip_nat_ftp" and "modprobe ip_conntrack_ftp" for full NAT support on your FC4 host.

You can load the kernel modules through the help of this file, provided that you really use FC4's "iptables" service, have it turned on with "chkconfig" and don't run your own firewall script somewhere.

See here:

Ok, I got it working.
I loaded :
ip_conntrack_ftp
ip_nat_ftp

Now I am able to connect to " ftp.sriaurobindoashram.com "
but with " passive files transfer " - unchecked in gftp from client
system.

Though I can see my private IP.

I am not sure wether I got it working the correct way.
So do tell me your views.

Thanks again

Varun

Where do you see your private IP? At the client side in the ftp client? If so, that's normal, as that is what your ftp client submits. FTP NAT kicks in on a lower level.

In the bottom most window in gftp.

So basically the server on which our site is is not
configured to support passive mode.

Is that correct conclusion ?

If so I don't think that is a good setting on the server ?

What do you think ?

Thanks for time. I did learn a few things.

Varun

Among the things to consider with Active FTP, you have the server initiate data connections back to the client, and hence FTP clients behind a Firewall/NAT may not be able to transfer to/from that server.