|
iptables / FTP masquerading: Port command illegal
Hi Everyone,
I finally got my FTP server working on my Red Hat 9 Linux firewall box. For some reason, I could only get it to work on a port other than 21. I elected for port 29 and changed /etc/services ftp entry and my firewally rules accordingly. For some reason, if I change back to 21, no response sent by ftp server to syn pkt from client ftp. If anyone has any ideas why it works on any other port than 21, please let me know.
Anyways, i got passive mode ftp to work on this box. However, active mode fails. and it complains:
ftp> dir
500 Illegal PORT command.
ftp: bind: Address already in use
When i look at the packets, I see the client sending a Port cmd using its non-routable IP. This then passes through a firewall, and the source IP gets translated to a public IP. Then hits my Linux firewall and I the vsftpd process it and sends back that Illegal port response.
My firewall is using DHCP over my DSL connection. Hence I am using MASQUERADING in iptables:
-A POSTROUTING -o eth1 -j MASQUERADE
modules in memory are:
ip_conntrack_ftp 5296 1 (autoclean)
ip_nat_ftp 4112 0 (unused)
iptable_mangle 2776 0 (autoclean) (unused)
tulip 43840 1
ipt_MASQUERADE 2200 1 (autoclean)
iptable_nat 21720 2 (autoclean) [ip_nat_ftp ipt_MASQUERADE]
ipt_state 1048 10 (autoclean)
ip_conntrack 26976 3 (autoclean) [ip_conntrack_ftp ip_nat_ftp ipt_M
ASQUERADE iptable_nat ipt_state]
iptable_filter 2412 1 (autoclean)
ip_tables 15096 7 [iptable_mangle ipt_MASQUERADE iptable_nat ipt
_state iptable_filter]
Anybody know whats going on?
Thanks Gurus!
|
