Cant get DNAT working on 2.6.7

This firewall script works fine in 2.4.26, it also works
on 2.6.7, except for DNAT redirection of ftp port 21 to another
host:

Is something else needed in 2.6, than 2.4 (nor using IPsec)

Thanks, Tonyb

Snipets of the script code:

These modules loaded at begining of script:
/sbin/insmod ip_tables.ko > /dev/null 2>&1
/sbin/insmod ip_conntrack.ko > /dev/null 2>&1
/sbin/insmod iptable_nat.ko > /dev/null 2>&1
/sbin/insmod iptable_filter.ko > /dev/null 2>&1
/sbin/insmod ipt_MASQUERADE.ko > /dev/null 2>&1


If DNAT enabled these are loaded:
# FTP
# Load a couple of modules only needed for ftp DNAT and
# Route incoming $EXTIF for ftp port 21, to $FTPHOST:21
#
if [ $KERNEL -lt 5 ]; then
/sbin/insmod ip_conntrack_ftp > /dev/null 2>&1
/sbin/insmod ip_nat_ftp > /dev/null 2>&1
else
/sbin/insmod ip_conntrack_ftp.ko > /dev/null 2>&1
/sbin/insmod ip_nat_ftp.ko > /dev/null 2>&1
fi

/bin/ping -c1 -w1 $FTPHOST > /dev/null 2>&1

if [ $? -eq 0 ]; then
$IPC -A PREROUTING -t nat -p tcp -i $EXTIF -d $EXTIP --dport
21 \ -j DNAT --to-destination $FTPHOST:21
fi

--
__ __ _ I N C. http://www.sysdev.org
/ __|\\// __|| \ __ __ / (E-Mail Removed)
\__ \ \/\__ \||)|/ O_)\/ / \/ System Tools / Utilities
|___/ || ___/|_ /\___|\_/ WIntel / Linux Device Drivers

Joaco <(E-Mail Removed)> wrote:
> This firewall script works fine in 2.4.26, it also works
> on 2.6.7, except for DNAT redirection of ftp port 21 to another
> host:

> Is something else needed in 2.6, than 2.4 (nor using IPsec)

Maybe. I don't do DNAT but have done SNAT without port redirection and
this module is one that didn't exist for the 2.4.24 kernel:

/lib/modules/2.6.7/kernel/net/ipv4/netfilter/ipt_iprange.ko

It was a surprise to me to find it when I compared the netfilter
modules for the two kernels. I'm pretty sure I didn't explicitly
configure the kernel for such a module.

As always when blindly stabbing in the dark, HTH.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* Speak softly and carry a +6 two-handed sword. */

On Mon, 2 Aug 2004 12:15:07 -0500
Clifford Kite <(E-Mail Removed)> wrote:

> Joaco <(E-Mail Removed)> wrote:
> > This firewall script works fine in 2.4.26, it also works
> > on 2.6.7, except for DNAT redirection of ftp port 21 to
> > another host:
>
> > Is something else needed in 2.6, than 2.4 (nor using IPsec)
>
> Maybe. I don't do DNAT but have done SNAT without port
> redirection and this module is one that didn't exist for the
> 2.4.24 kernel:
>
> /lib/modules/2.6.7/kernel/net/ipv4/netfilter/ipt_iprange.ko
>
> It was a surprise to me to find it when I compared the
> netfilter modules for the two kernels. I'm pretty sure I
> didn't explicitly configure the kernel for such a module.

Well iprange is one I didnt build, so making modules again.
I dont see how port 21 PREROUTING to a new destination-ip:21h,
could depend on it, since there are no complaints. Will give it
a try. I will try some more testing when I boot 2.6.7 again...

TonyB

--
__ __ _ I N C. http://www.sysdev.org
/ __|\\// __|| \ __ __ / (E-Mail Removed)
\__ \ \/\__ \||)|/ O_)\/ / \/ System Tools / Utilities
|___/ || ___/|_ /\___|\_/ WIntel / Linux Device Drivers

On Sun, 1 Aug 2004 15:21:07 -0700
Joaco <(E-Mail Removed)> wrote:

> This firewall script works fine in 2.4.26, it also works
> on 2.6.7, except for DNAT redirection of ftp port 21 to
> another host:
>
> Is something else needed in 2.6, than 2.4 (nor using IPsec)

Further tests reveal that DNAT is working the GWY is redirecting
ftp:21 to the redirect local host. I see the local host sending
the login and dir info back to the caller, but something is
wrong at the caller. I see the acks comming back but the
caller, fails to get the dir, sometimes it does get the .message
info from my proftpd, but never the dir info???

Something is being screwed by the GWY (2.6.7) on the awy back,
and not on the way in.


--
__ __ _ I N C. http://www.sysdev.org
/ __|\\// __|| \ __ __ / (E-Mail Removed)
\__ \ \/\__ \||)|/ O_)\/ / \/ System Tools / Utilities
|___/ || ___/|_ /\___|\_/ WIntel / Linux Device Drivers

On Sun, 1 Aug 2004 15:21:07 -0700
Joaco <(E-Mail Removed)> wrote:

> This firewall script works fine in 2.4.26, it also works
> on 2.6.7, except for DNAT redirection of ftp port 21 to
> another host:

To all reading this, FYI it is VERIFIED! The problem w/2.6.7
kernels is not related to iptables or firewall scripts. It is
related to the 2.6.7 TCP STACK. I changed the firewall at the
GWY to redirect the DNAT of FTP/21h to a 2.6.7 dual Opteron
server. This host is on the same local net as the old 66Mhz 486
DNAT 2.4.26 target which had problems getting its packets out
via the 2.6.7 GWY without randon pkt truncations. FTP
connections from the outside (http://www2ftp.de) are now working
again !!! I am not going to say that, if you run old slow Linux
Boxes, stick to 2.4.xx Routers, until I upgrade my 486/586 hosts
to 2.6.7 and test the local net environment again.

Cheers,
Joaco
--
__ __ _ I N C. http://www.sysdev.org
/ __|\\// __|| \ __ __ / (E-Mail Removed)
\__ \ \/\__ \||)|/ O_)\/ / \/ System Tools / Utilities
|___/ || ___/|_ /\___|\_/ WIntel / Linux Device Drivers