From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Description of problem: Kernel 2.4.18-3 2.4.18-4 for 7.3 and 2.4.9-31 and 2.4.9.34 RH 7.2 iptables nating ftp error comunication. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Installing kernel 2.4.18-4.rpm on a server redhat 7,3 with two cards of net. Then launch the chain following of iptables: IPTABLES -t nat -A POSTROUTING -o X.X.X.X -s 10.0.0.1/24 -j SNAT --to-source X.X.X.X. To be then connected to whichever ftp server (example: ftp.redhat.com) from one PC of the private net (example: 10.0.0.2) ftp://ftp.XXXXXX.com We insert hour username and password: 230 User XXXXX logged in. ftp > ls or whichever other commando it is in passive way that active Actual Results: it always comes generated an error of this type: 500 invalid port command 150 Opening ASCII mode data connection for file list. while with other systems graphics: 200 Type set A 500 Invalid PORT command. 500 LPRT 6,16,0,0,0,0,0,0,0,0,67,0,0,0,0,0,0,0,0,202,96,2,6,89: commad not understood. Expected Results: It would have to be connected normally to server ftp. Additional info: We have unloaded kernel the 2,4,18 from kernel.org shaped and then compiled to the reboot we have chosen this kernel and all it has worked normally.
Does it work in the Red Hat kernel if you manually insert one of the following kernel modules? ip_conntrack_ftp.o ip_nat_ftp.o I can't remember which exactly, but it works for my Win2000 clients on my network. I think it is required for active FTP, especially really picky clients FTP like Internet Explorer.
There are all the modules in order to make to work the ftp!! But it does not work!!!!!! lsmod Module Size Used by Not tainted ip_conntrack_irc 3648 0 (unused) ip_conntrack_ftp 4768 0 (unused) ipt_unclean 7744 0 (unused) maestro3 28072 0 (autoclean) ac97_codec 11872 0 (autoclean) [maestro3] soundcore 6436 2 (autoclean) [maestro3] 3c59x 27432 1 ipt_REJECT 3968 1 (autoclean) ipt_state 1408 21 (autoclean) ip_conntrack 20044 3 (autoclean) [ip_conntrack_irc ip_conntrack_ftp ipt_state] ipt_TOS 1856 16 (autoclean) ipt_LOG 4576 36 (autoclean) ipt_limit 1824 36 (autoclean) iptable_mangle 3008 1 (autoclean) iptable_filter 2624 1 (autoclean) ip_tables 13536 8 [ipt_unclean ipt_REJECT ipt_state ipt_TOS ipt_ LOG ipt_limit iptable_mangle iptable_filter] ide-cd 29856 0 (autoclean) cdrom 33184 0 (autoclean) [ide-cd] usb-uhci 23492 0 (unused) usbcore 71168 1 [usb-uhci] The kernel recopile he is equal to that one of the redhat with modules in handbook and works lsmod Module Size Used by Not tainted ip_conntrack_irc 3648 0 (unused) ip_conntrack_ftp 4768 0 (unused) ipt_unclean 7744 0 (unused) maestro3 28072 0 (autoclean) ac97_codec 11872 0 (autoclean) [maestro3] soundcore 6436 2 (autoclean) [maestro3] 3c59x 27432 1 ipt_REJECT 3968 1 (autoclean) ipt_state 1408 21 (autoclean) ip_conntrack 20044 3 (autoclean) [ip_conntrack_irc ip_conntrack_ftp ipt_state] ipt_TOS 1856 16 (autoclean) ipt_LOG 4576 36 (autoclean) ipt_limit 1824 36 (autoclean) iptable_mangle 3008 1 (autoclean) iptable_filter 2624 1 (autoclean) ip_tables 13536 8 [ipt_unclean ipt_REJECT ipt_state ipt_TOS ipt_ LOG ipt_limit iptable_mangle iptable_filter] ide-cd 29856 0 (autoclean) cdrom 33184 0 (autoclean) [ide-cd] usb-uhci 23492 0 (unused) usbcore 71168 1 [usb-uhci]
I asked MonMotha monmotha.com about this, and he agrees that it may be a Red Hat kernel bug. MonMotha is the author of MonMotha's Iptables Firewall script, a widely used iptables script on Freshmeat. Here are his messages below: **** Make sure the FTP server is on port 21 as that is all the conntracker tracks by default. Also, the FTP helper seems to be a bit flakey. If the server is at all picky about PORT commands (some are to prevent bounce attacks), it often errors back with an invalid message. Using PASV mode is an easy way to get around this. **** Sorry for the double reply, but unless they have changed iptables since the man page I have, -o doesn't take an IP; It takes an interface, but it would error back without even insterting the rule and therefore none of the NAT would work, so that doesn't seem to be the problem. **** Ack, triple reply (having trouble reading the english translation and I'm missnig stuff :) Actually, it looks like it could be a RH kernel bug. He says he downloaded the kernel from kernel.org and compiled it himself and then it works, but not under the (same kernel version, save for RedHat's patches) RH kernel.
One more thing to test regarding what MonMotha mentioned about PASV mode. Does ncftp on client machines behind your NAT machine work to download files from FTP servers outside your local network?
I have tried with more client ftp but the result is equal in passive-active. The chains of the firewall are all open ones, the only inserted rule are: i have tried with more client ftp but the result is equal in passive-active.
Seems you do not have a masquarade set up. It works perfect for me, here is my config: modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc modprobe ip_nat_ftp modprobe ipt_LOG modprobe iptable_filter modprobe iptable_nat modprobe ip_tables iptables -F # here comes the important part for YOU iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Thanks for the bug report. However, Red Hat no longer maintains this version of the product. Please upgrade to the latest version and open a new bug if the problem persists. The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, and if you believe this bug is interesting to them, please report the problem in the bug tracker at: http://bugzilla.fedora.us/