Bug 66342

Summary: iptables nat rh 7.2 and 7.3
Product: [Retired] Red Hat Linux Reporter: flavio <hostmaster>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: l_magnus_j, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-30 15:39:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description flavio 2002-06-08 07:39:57 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
Kernel 2.4.18-3 2.4.18-4 for 7.3 and 2.4.9-31 and 2.4.9.34 RH 7.2 iptables 
nating  ftp  error comunication.



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Installing kernel  2.4.18-4.rpm on a server redhat 7,3 with two cards of net.
Then launch the chain following of iptables:
IPTABLES -t nat -A POSTROUTING -o X.X.X.X -s 10.0.0.1/24 -j SNAT --to-source 
X.X.X.X.         
To be then connected to whichever ftp server (example:  ftp.redhat.com) from 
one PC of the private net (example:  10.0.0.2)

ftp://ftp.XXXXXX.com 	
We insert hour username and password: 
230 User XXXXX logged in.
ftp > ls 
or whichever other commando 
it is in passive way that active

Actual Results:  it always comes generated an error of this type:  
 
500 invalid port command
150 Opening ASCII mode data connection for file list.

while with other systems graphics:
200 Type set A
500 Invalid PORT command.
500 LPRT 6,16,0,0,0,0,0,0,0,0,67,0,0,0,0,0,0,0,0,202,96,2,6,89: commad not 
understood.








Expected Results:  It would have to be connected normally to server ftp.  

Additional info:

We have unloaded kernel the 2,4,18 from kernel.org shaped and then compiled to 
the reboot we have chosen this kernel and all it has worked normally.
Comment 1 Warren Togami 2002-06-08 10:23:05 UTC 
Does it work in the Red Hat kernel if you manually insert one of the following
kernel modules?

ip_conntrack_ftp.o
ip_nat_ftp.o

I can't remember which exactly, but it works for my Win2000 clients on my
network.  I think it is required for active FTP, especially really picky clients
FTP like Internet Explorer.
Comment 2 flavio 2002-06-08 12:36:03 UTC 
There are all the modules in order to make to work the ftp!! 
 But it does not work!!!!!!  
lsmod
Module                  Size  Used by    Not tainted
ip_conntrack_irc        3648   0  (unused)
ip_conntrack_ftp        4768   0  (unused)
ipt_unclean             7744   0  (unused)
maestro3               28072   0  (autoclean)
ac97_codec             11872   0  (autoclean) [maestro3]
soundcore               6436   2  (autoclean) [maestro3]
3c59x                  27432   1
ipt_REJECT              3968   1  (autoclean)
ipt_state               1408  21  (autoclean)
ip_conntrack           20044   3  (autoclean) [ip_conntrack_irc ip_conntrack_ftp
 ipt_state]
ipt_TOS                 1856  16  (autoclean)
ipt_LOG                 4576  36  (autoclean)
ipt_limit               1824  36  (autoclean)
iptable_mangle          3008   1  (autoclean)
iptable_filter          2624   1  (autoclean)
ip_tables              13536   8  [ipt_unclean ipt_REJECT ipt_state ipt_TOS ipt_
LOG ipt_limit iptable_mangle iptable_filter]
ide-cd                 29856   0  (autoclean)
cdrom                  33184   0  (autoclean) [ide-cd]
usb-uhci               23492   0  (unused)
usbcore                71168   1  [usb-uhci]


The kernel recopile he is equal to that one of the redhat with modules in 
handbook and works

lsmod
Module                  Size  Used by    Not tainted
ip_conntrack_irc        3648   0  (unused)
ip_conntrack_ftp        4768   0  (unused)
ipt_unclean             7744   0  (unused)
maestro3               28072   0  (autoclean)
ac97_codec             11872   0  (autoclean) [maestro3]
soundcore               6436   2  (autoclean) [maestro3]
3c59x                  27432   1
ipt_REJECT              3968   1  (autoclean)
ipt_state               1408  21  (autoclean)
ip_conntrack           20044   3  (autoclean) [ip_conntrack_irc ip_conntrack_ftp
 ipt_state]
ipt_TOS                 1856  16  (autoclean)
ipt_LOG                 4576  36  (autoclean)
ipt_limit               1824  36  (autoclean)
iptable_mangle          3008   1  (autoclean)
iptable_filter          2624   1  (autoclean)
ip_tables              13536   8  [ipt_unclean ipt_REJECT ipt_state ipt_TOS ipt_
LOG ipt_limit iptable_mangle iptable_filter]
ide-cd                 29856   0  (autoclean)
cdrom                  33184   0  (autoclean) [ide-cd]
usb-uhci               23492   0  (unused)
usbcore                71168   1  [usb-uhci]
Comment 3 Warren Togami 2002-06-09 02:29:03 UTC 
I asked MonMotha monmotha.com about this, and he agrees that it may be a
Red Hat kernel bug.  MonMotha is the author of MonMotha's Iptables Firewall
script, a widely used iptables script on Freshmeat.  Here are his messages below:

****
Make sure the FTP server is on port 21 as that is all the conntracker tracks by
default.

Also, the FTP helper seems to be a bit flakey.  If the server is at all picky
about PORT commands (some are to prevent bounce attacks), it often errors back
with an invalid message. Using PASV mode is an easy way to get around this.
****
Sorry for the double reply, but unless they have changed iptables since the man
page I have, -o doesn't take an IP; It takes an interface, but it would error
back without even insterting the rule and therefore none of the NAT would work,
so that doesn't seem to be the problem.
****
Ack, triple reply (having trouble reading the english translation and I'm
missnig stuff :)

Actually, it looks like it could be a RH kernel bug.  He says he downloaded the
kernel from kernel.org and compiled it himself and then it works, but not under
the (same kernel version, save for RedHat's patches) RH kernel.
Comment 4 Warren Togami 2002-06-09 02:34:57 UTC 
One more thing to test regarding what MonMotha mentioned about PASV mode.  Does
ncftp on client machines behind your NAT machine work to download files from FTP
servers outside your local network?
Comment 5 flavio 2002-06-10 06:45:19 UTC 
I have tried with more client ftp but the result is equal in passive-active.
The chains of the firewall are all open ones, the only inserted rule are:
i have tried with more client ftp but the result is equal in passive-active.
Comment 6 Zoltan Arpadffy 2002-09-18 11:53:20 UTC 
Seems you do not have a masquarade set up.
It works perfect for me, here is my config:
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_tables

iptables -F
# here comes the important part for YOU
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Comment 7 Bugzilla owner 2004-09-30 15:39:39 UTC 
Thanks for the bug report. However, Red Hat no longer maintains this version of
the product. Please upgrade to the latest version and open a new bug if the problem
persists.

The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, 
and if you believe this bug is interesting to them, please report the problem in
the bug tracker at: http://bugzilla.fedora.us/