[Shorewall-users] ip_nat_ftp vs. ipsec
Jesper Sörensen
jesper at datapartner.se
Tue Jun 1 05:39:56 PDT 2004
Hi,
I have some VPN tunnels set up using the IPSEC implementation in Linux
2.6 and the hints posted here before. It has been running nicely for a
couple of months now but there is a minor problem I'd like to solve if
possible.
I'm using SNAT at the firewall and have the FTP conntrack modules loaded
to handle FTP connections. Everything is fine as long as I connect to
FTP servers on the Internet, but when I try to connect to a FTP server
via the IPSEC tunnel the FTP client hangs after the PORT command
(tcpdump indicates that the TCP packet with the PORT command never
reaches the server) and I get this in my firewall log:
FTP_NAT: partial packet 15871748/21 in 981/1065
FTP_NAT: partial packet 15871748/21 in 982/1046
FTP_NAT: partial packet 15871748/21 in 983/1003
FTP_NAT: partial packet 15871748/21 in 984/1036
FTP_NAT: partial packet 15871748/21 in 985/1005
Passive/active FTP makes no difference.
If I unload ip_nat_ftp and try again it works great, but then I'm SOL
for the Internet FTP servers.
So it seems Shorewall/netfilter somehow sends the packets through
ip_nat_ftp even though I've told it not to SNAT the VPN traffic:
masq:
eth1:!192.168.0.0/16 eth0
# shorewall version
2.0.0b
Is this a Shorewall bug or is it related to the general "brokenness" of
IPSEC and netfilter?
Many thanks!
Jesper
More information about the Shorewall-users
mailing list