The box on which the shorwall is running is doing the SNAT. Maybe an external facing firewall is doing another NAT with the source ip ( 96.64.220.253) hence I am not seeing any new connection back on my device. Should i see a new connection request from the server to ip 96.64.220.253 , will there be an entry created by FTP helper to accept the new connection request coming from the server ( i don't see it in the conntrack entry ).
I believe i don't need to add a DNAT entry to accept the new connection, because i only have the client initiating a request from lan to inet. Thanks, Naveen On Mon, Dec 31, 2018 at 9:30 AM Tom Eastep <teas...@shorewall.net> wrote: > On 12/30/18 5:33 PM, Naveen Neelakanta wrote: > > Hi Tom, > > > > I see that only the FTP Passive Mode works, but is there any other > > settings that i need to enable for the active mode to work. I believe > > Linux nf_nat_ftp and nf_conntrack_ftp should take care of the mapping > > correct and i see they are getting loaded. > > > > ubuntu@BR2-UBUNTU1:~$ ftp 144.208.69.31 > > Connected to 144.208.69.31. > > 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- > > 220-You are user number 18 of 150 allowed. > > 220-Local time is now 17:01. Server port: 21. > > 220-This is a private system - No anonymous login > > 220-IPv6 connections are also welcome on this server. > > 220 You will be disconnected after 30 minutes of inactivity. > > Name (144.208.69.31:ubuntu): dlpu...@dlptest.com > > <mailto:dlpu...@dlptest.com> > > 331 User dlpu...@dlptest.com <mailto:dlpu...@dlptest.com> OK. Password > > required > > Password: > > 230 OK. Current restricted directory is / > > Remote system type is UNIX. > > Using binary mode to transfer files. > > ftp> ls > > 500 I won't open a connection to 10.24.8.11 (only to 96.64.220.253) > > ftp: bind: Address already in use > > That is your FTP server refusing to create the active mode connection. > Is there a router in front of the Shorewall box that is doing SNAT on > incoming connections? > > > > conntrack entry: > > tcp 6 430709 ESTABLISHED src=10.24.8.11 dst=144.208.69.31 > > sport=53478 dport=21 src=144.208.69.31 dst=10.24.8.117 sport=21 > > dport=53478 [ASSURED] mark=0 zone=4 use=1 > > > > 30-001011-4894:/log/home/test# shorewall show capabilities | grep FTP > > FTP Helper: Available > > FTP-0 Helper: Not available > > TFTP Helper: Available > > TFTP-0 Helper: Not available > > > > The Shorewall box thinks that the client IP address is 10.24.8.11, while > your FTP server thinks that it is 96.64.220.253. > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster with > Shoreline, \ an international standard? > Washington, USA \ A: Someone who makes you an offer you can't > http://shorewall.org \ understand > \_______________________________________________ > >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users