Hi Tom ,
I got it resolved be just moving the zone in the conntrack file above
AUTOHELPER
cat /etc/shorewall/conntrack
#
# Shorewall version 4 - conntrack File
#
# For information about entries in this file, type man shorewall-conntrack
#
##############################################################################################################
?FORMAT 3
#ACTION SOURCE DESTINATION PROTO DEST
SOURCE USER/ SWITCH
# PORT(S)
PORT(S) GROUP
IPTABLES(CT --zone 2):O 0.0.0.0/0 eth3
IPTABLES(CT --zone 2) veth-e3-p -
?if $AUTOHELPERS && __CT_TARGET
?if __FTP_HELPER
CT:helper:ftp:PO - - tcp 21
?endif
?endif
However, I was looking for DROP counters using "iptables -L -nv | grep
DROP".
whats the right to way to display DROP flows in this scenario and check for
the drop counters.
Thanks,
Naveen
On Fri, Dec 28, 2018 at 1:41 PM Tom Eastep <teas...@shorewall.net> wrote:
> On 12/28/18 10:48 AM, Naveen Neelakanta wrote:
> >
> > Hi All,
> >
> > I am facing issues with ftp traffic, when the client initiates the
> > ftp connection, I see it leave the internet interface after getting
> > NATed with internet interface IP, I see the return traffic on the
> > internet interface I don't see it getting forwarded, nor hitting the
> > conntrack entry.
> > I have enabled the FTP helper in /etc/shorewall/conntrack , i am using
> > shorewall version "5.2.0.4".
> >
> > Let me know if i am missing something.
> >
> > ?if $AUTOHELPERS && __CT_TARGET
> > ?if __FTP_HELPER
> > CT:helper:ftp:PO - - tcp 21
> > ?endif
> > ?endif
> >
> > i have the AUTOHELPERS= yes in shorewall.conf
> >
> > #lsmod | grep nf_nat_ftp
> > nf_nat_ftp 2028 0
> > nf_conntrack_ftp 6942 3 nf_nat_ftp
> > nf_nat 15273 12
> >
> nf_nat_pptp,nf_nat_proto_gre,xt_nat,nf_nat_h323,nf_nat_sip,openvswitch,nf_nat_irc,nf_nat_ftp,nf_nat_amanda,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat_tftp
> > nf_conntrack 87157 28
> >
> nf_nat_pptp,nf_conntrack_sip,nf_conntrack_irc,xt_nat,nf_nat_h323,nf_conntrack_ftp,nf_nat_sip,openvswitch,nf_conntrack_ipv4,nf_conntrack_tftp,ipt_MASQUERADE,nf_nat_irc,nf_conntrack_pptp,nf_conntrack_amanda,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_sane,nf_nat_amanda,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_CT,nf_nat_masquerade_ipv4,nf_conntrack_h323,xt_conntrack,nf_nat_ipv4,nf_nat_tftp,nf_nat
> >
> >
>
> The helper is not required in order to establish the initial control
> connection. So if you are having problems with that part, the issue
> doesn't involve the helper. The helper get involved during establishment
> of the data connection created to handle get, put, ls, etc.
>
> It sounds like the 'client' in this case is in your local lan? If so,
> the CT rule would be hit in the nat table PREROUTING chain when the
> original SYN packet was received by the firewall from the client.
>
> I'll take a look if you:
>
> - shorewall reset
> - <try to establish the ftp connection>
> - shorewall dump > shorewall.dump
> - Send me the shorewall.dump file (as an attachment) along with the IP
> addresses of the client and server
>
> Thanks,
> -Tom
> --
> Tom Eastep \ Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \ understand
> \_______________________________________________
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
