The box on which the shorwall is running is doing the SNAT.  Maybe an
external facing firewall is doing another NAT with the source ip (
96.64.220.253) hence I am not seeing any new connection back on my device.
Should i see a new connection request from the server to ip 96.64.220.253
, will there be an entry created by FTP helper to accept the new connection
request coming from the server (  i don't see it in the conntrack entry ).

I believe i don't need to add a DNAT entry to accept the new connection,
because i only have the client initiating a request from lan to inet.

Thanks,
Naveen


On Mon, Dec 31, 2018 at 9:30 AM Tom Eastep <teas...@shorewall.net> wrote:

> On 12/30/18 5:33 PM, Naveen Neelakanta wrote:
> > Hi Tom,
> >
> > I see that only the FTP Passive Mode works, but is there any other
> > settings that i need to enable for the active mode to work. I believe
> > Linux nf_nat_ftp and nf_conntrack_ftp should take care of the mapping
> > correct and i see they are getting loaded.
> >
> > ubuntu@BR2-UBUNTU1:~$ ftp 144.208.69.31
> > Connected to 144.208.69.31.
> > 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
> > 220-You are user number 18 of 150 allowed.
> > 220-Local time is now 17:01. Server port: 21.
> > 220-This is a private system - No anonymous login
> > 220-IPv6 connections are also welcome on this server.
> > 220 You will be disconnected after 30 minutes of inactivity.
> > Name (144.208.69.31:ubuntu): dlpu...@dlptest.com
> > <mailto:dlpu...@dlptest.com>
> > 331 User dlpu...@dlptest.com <mailto:dlpu...@dlptest.com> OK. Password
> > required
> > Password:
> > 230 OK. Current restricted directory is /
> > Remote system type is UNIX.
> > Using binary mode to transfer files.
> > ftp> ls
> > 500 I won't open a connection to 10.24.8.11 (only to 96.64.220.253)
> > ftp: bind: Address already in use
>
> That is your FTP server refusing to create the active mode connection.
> Is there a router in front of the Shorewall box that is doing SNAT on
> incoming connections?
> >
> > conntrack  entry:
> > tcp      6 430709 ESTABLISHED src=10.24.8.11 dst=144.208.69.31
> > sport=53478 dport=21 src=144.208.69.31 dst=10.24.8.117 sport=21
> > dport=53478 [ASSURED] mark=0 zone=4 use=1
> >
> > 30-001011-4894:/log/home/test# shorewall show capabilities | grep FTP
> >    FTP Helper: Available
> >    FTP-0 Helper: Not available
> >    TFTP Helper: Available
> >    TFTP-0 Helper: Not available
> >
>
> The Shorewall box thinks that the client IP address is 10.24.8.11, while
> your FTP server thinks that it is 96.64.220.253.
>
> -Tom
> --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
>
>
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to