ftp problem through a linux gateway

On my RHAS3 I have 2 NICs, one connected to internet with real IP
and the other connected to my local LAN.

With some gentle help from this group I have managed to set up the
required iptables rule

iptables -t nat -A POSTROUTING -s localNet/LocalMask -o eth0 -j SNAT
--to-source realIP_of_my_RH

on this server so that my RH now acts as a
gateway/nat/router for my local workstations reaching internet. I even
managed to configure a DHCP server for distributing local IP's.

My current problem is, local clients can connect to outside FTP
servers but can not obtain the directory contents and then move on to
the other get/put operations.

I even managed issuing apropriate iptables command (listed below) so
that all the traffic of different real IP's would be forwarded
directly to seperate local IP's, allowing my local servers within NAT
to provide service to internet outside users, individually.

And again, the outside users had the same problem with ftp
connections. They could login to the local ftp servers but can not
proceed with obtaining the directory content.

***************************************
ifconfig eth0:0 secondary_real_IP and_its_mask

iptables -t nat -A PREROUTING -d secondary_real_IP -j DNAT --to
local_IP

iptables -t nat -A POSTROUTING -s local_IP -j SNAT --to
secondary_real_IP
***************************************

Any idea ?




used the following rules for assigning different real IP's to my RH
public-NIC and then forcing all the traffic

Use passive mode while downloading directory info / files. The
problem is that while machines on your local network are able
to connect to the ftp server, the ftp server is not able able
to connect back to these machines through the NAT. Using passive
mode should solve the problem.

HTH

--ayan

On 2005-03-18, Sanal Kisi <(E-Mail Removed)> wrote:
> On my RHAS3 I have 2 NICs, one connected to internet with real IP
> and the other connected to my local LAN.
>
> With some gentle help from this group I have managed to set up the
> required iptables rule
>
> iptables -t nat -A POSTROUTING -s localNet/LocalMask -o eth0 -j SNAT
> --to-source realIP_of_my_RH
>
> on this server so that my RH now acts as a
> gateway/nat/router for my local workstations reaching internet. I even
> managed to configure a DHCP server for distributing local IP's.
>
> My current problem is, local clients can connect to outside FTP
> servers but can not obtain the directory contents and then move on to
> the other get/put operations.
>
> I even managed issuing apropriate iptables command (listed below) so
> that all the traffic of different real IP's would be forwarded
> directly to seperate local IP's, allowing my local servers within NAT
> to provide service to internet outside users, individually.
>
> And again, the outside users had the same problem with ftp
> connections. They could login to the local ftp servers but can not
> proceed with obtaining the directory content.
>
> ***************************************
> ifconfig eth0:0 secondary_real_IP and_its_mask
>
> iptables -t nat -A PREROUTING -d secondary_real_IP -j DNAT --to
> local_IP
>
> iptables -t nat -A POSTROUTING -s local_IP -j SNAT --to
> secondary_real_IP
> ***************************************
>
> Any idea ?
>
>
>
>
> used the following rules for assigning different real IP's to my RH
> public-NIC and then forcing all the traffic

In comp.os.linux.networking Sanal Kisi <(E-Mail Removed)>:
> On my RHAS3 I have 2 NICs, one connected to internet with real IP
> and the other connected to my local LAN.
[..]

> My current problem is, local clients can connect to outside FTP
> servers but can not obtain the directory contents and then move on to
> the other get/put operations.
[..]

> Any idea ?

Would you please, please be so kind and stop this "any ideas"
crap, you see in every second post. There are no ideas in this
and most other cases needed, just a matter of setting things up
probably, following the documentation.

Looks to me as if all you need to do is loading the
"ip_conntrack_ftp" module and setup things to allow active ftp
connections.

[..]

BTW
I'd think about setting up a proxy (www.squid-cache.org) for
ftp/http/etc connections, which usually speeds up things.


--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 40: not enough memory, go get system upgrade

Hi,

With the help of your messages, I managed to find some info on what
passive and active means in FTP, and then solved my problem by
enabling the
IPTABLES_MODULES="ip_nat_ftp" line in
/etc/sysconfig/iptables-config file.

Thanks a lot.

PS. Thanks also for the kind suggestion about the "crap". From now on,
I'll ask for some help in detecting what I have missed within the docs
while doing something.

And another thanks for the suggestion about squid. You might soon hear
about my work if I get stuck again, as I have started working on it
today. But Docs first.



>
>Would you please, please be so kind and stop this "any ideas"
>crap, you see in every second post. There are no ideas in this
>and most other cases needed, just a matter of setting things up
>probably, following the documentation.
>
>Looks to me as if all you need to do is loading the
>"ip_conntrack_ftp" module and setup things to allow active ftp
>connections.
>
>[..]
>
>BTW
>I'd think about setting up a proxy (www.squid-cache.org) for
>ftp/http/etc connections, which usually speeds up things.