On 12/28/18 10:48 AM, Naveen Neelakanta wrote: > > Hi All, > > I am facing issues with ftp traffic, when the client initiates the > ftp connection, I see it leave the internet interface after getting > NATed with internet interface IP, I see the return traffic on the > internet interface I don't see it getting forwarded, nor hitting the > conntrack entry. > I have enabled the FTP helper in /etc/shorewall/conntrack , i am using > shorewall version "5.2.0.4". > > Let me know if i am missing something. > > ?if $AUTOHELPERS && __CT_TARGET > ?if __FTP_HELPER > CT:helper:ftp:PO - - tcp 21 > ?endif > ?endif > > i have the AUTOHELPERS= yes in shorewall.conf > > #lsmod | grep nf_nat_ftp > nf_nat_ftp 2028 0 > nf_conntrack_ftp 6942 3 nf_nat_ftp > nf_nat 15273 12 > nf_nat_pptp,nf_nat_proto_gre,xt_nat,nf_nat_h323,nf_nat_sip,openvswitch,nf_nat_irc,nf_nat_ftp,nf_nat_amanda,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat_tftp > nf_conntrack 87157 28 > nf_nat_pptp,nf_conntrack_sip,nf_conntrack_irc,xt_nat,nf_nat_h323,nf_conntrack_ftp,nf_nat_sip,openvswitch,nf_conntrack_ipv4,nf_conntrack_tftp,ipt_MASQUERADE,nf_nat_irc,nf_conntrack_pptp,nf_conntrack_amanda,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_sane,nf_nat_amanda,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_CT,nf_nat_masquerade_ipv4,nf_conntrack_h323,xt_conntrack,nf_nat_ipv4,nf_nat_tftp,nf_nat > >
The helper is not required in order to establish the initial control connection. So if you are having problems with that part, the issue doesn't involve the helper. The helper get involved during establishment of the data connection created to handle get, put, ls, etc. It sounds like the 'client' in this case is in your local lan? If so, the CT rule would be hit in the nat table PREROUTING chain when the original SYN packet was received by the firewall from the client. I'll take a look if you: - shorewall reset - <try to establish the ftp connection> - shorewall dump > shorewall.dump - Send me the shorewall.dump file (as an attachment) along with the IP addresses of the client and server Thanks, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
