Greetings, all:
I have a dilemma with ftp connections being made through two
netfilter boxes to servers on my external network.
We have a Sun Ultra on the internal LAN that produces weather
graphics files. They must be ftp'd to a server on the outside of the
firewall. We have tried this with both firewall systems.
The kernel version on both is 2.4.18. One has iptables 1.2.5, the
other 1.2.6a.
We can manually manually ftp from the Sun through the firewall to
the destination servers (one a Linux system, one NT), login and transfer
files.
However, the Sun has an automated process that does all this as the
graphics are produced. It will log into the destination system, but it never
sends it's user password...it just sits. Eventually, the server times the
connection out. This didn't happen on a NT-based Raptor system that was
replaced by the Linux boxes. This is what's making me thing the iptables
configuration might be responsible in some fashion.
I have the proper modules loaded, so there shouldn't be any control
port issues:
Module Size Used by
ipt_limit 944 6 (autoclean)
ipt_state 576 14 (autoclean)
iptable_filter 1696 1 (autoclean)
ip_nat_ftp 3424 0 (unused)
ip_conntrack_ftp 3408 0 [ip_nat_ftp]
ipt_MASQUERADE 1712 0 (unused)
iptable_nat 18160 2 [ip_nat_ftp ipt_MASQUERADE]
ip_conntrack 19040 3 [ipt_state ip_nat_ftp
ip_conntrack_ftp ipt_MASQUERADE iptable_nat]
ipt_LOG 3152 8
ip_tables 12736 8 [ipt_limit ipt_state
iptable_filter ipt_MASQUERADE iptable_nat ipt_LOG]
We nat everything going out (EXTERNAL=eth0, EXTIP=the external
interface ip, obviously):
$IPTABLES -t nat -A POSTROUTING -o ${EXTERNAL} -j SNAT --to-source
${EXTIP}
We allow all outbound ftp from the inside (INTNET=192.168.1.0/24):
$IPTABLES -A FORWARD -p tcp -j allowed
then:
$IPTABLES -A allowed -p tcp -s ${INTNET} --dport 21 -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
We can manually ftp anywhere through the firewall from the Sun. I
can hit all other ftp sites outside from my Windows client using ws_ftp or a
browser, or the command line, or whatever.
The problem appears from this process on the Sun only.
When the same process tries to ftp to another system *behind* the
firewall, it works everytime.
Am I missing something here? We're still examining the Sun's
processes as the culprit, but I want to be sure the firewall is eliminated.
Thanks in advance.
Joe Dougherty
Information Technology Systems Officer
NAVLANTMETOCFAC Jacksonville
(904) 542-2541 ext. 35 (comm)
942-2541 ext. 35 (DSN)
[EMAIL PROTECTED]
https://www.nlmof.navy.mil
"Indecision is the basis of flexibility."
