ftp/http problems with masquerading
Hi List, I have a problem with our masquerading firewall: I use the same configuration on two different machines which route for two networks (one SuSE 7.0 kernel 2.2.16 connected to a isdn device and one SuSE 7.1 kernel 2.2.18 acting as ADSL router). The script (which is called by ip-up) is taken from an article in the german computer magazine "ct" (24/00). On both machines it works quite fine except for two problems: http: Some websites can't be accessed on Windows98 machines. I don't think it's the MTU problem, I once set it to the correct value [unfortunately I can't check this right now] and most websites can be shown ftp: Some servers make problems: Either the download always hangs at the last few (kilo)bytes or the ftp server fails to open the data connection (login is possible but connection hangs when doing a "ls").It seems to be a problem with masquerading: in my logfiles I can see that ipchains denies incoming connections from port 20 of the remote ftpserver. The module ip_masq_ftp is loaded and it works without any problems for many other servers. It would be nice if someone could give me some hints.. thanks && bye: stephan -------------------------------------------------------------------------- Stephan Beirer Immanuelkirchstrasse 12 10405 Berlin System Administration tel +49_30_443509000 fax +49_30_443509001 MicroDiscovery GmbH mail beirer@microdiscovery.com Bioinformatics Solutions http://www.microdiscovery.com
On Thu, 15 Mar 2001, Stephan Beirer wrote:
Hi List,
I have a problem with our masquerading firewall: I use the same configuration on two different machines which route for two networks (one SuSE 7.0 kernel 2.2.16 connected to a isdn device and one SuSE 7.1 kernel 2.2.18 acting as ADSL router). The script (which is called by ip-up) is taken from an article in the german computer magazine "ct" (24/00).
On both machines it works quite fine except for two problems:
http: Some websites can't be accessed on Windows98 machines. I don't think it's the MTU problem, I once set it to the correct value [unfortunately I can't check this right now] and most websites can be shown
ftp: Some servers make problems: Either the download always hangs at the last few (kilo)bytes or the ftp server fails to open the data connection (login is possible but connection hangs when doing a "ls").It seems to be a problem with masquerading: in my logfiles I can see that ipchains denies incoming connections from port 20 of the remote ftpserver. The module ip_masq_ftp is loaded and it works without any problems for many other servers.
It would be nice if someone could give me some hints..
thanks && bye:
stephan
Hmm - First of all I'd really check the mtu again ... I had similar problems with DSL. Got a 2.4.2 kernel and applied the MSS patches coming with iptables 1.2 - and added a line like iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu to ip-up.local. Worked fine for me ... Ciao, Marcel
-------------------------------------------------------------------------- Stephan Beirer Immanuelkirchstrasse 12 10405 Berlin System Administration tel +49_30_443509000 fax +49_30_443509001 MicroDiscovery GmbH mail beirer@microdiscovery.com Bioinformatics Solutions http://www.microdiscovery.com
On Thu, Mar 15, Stephan Beirer wrote:
Hi List,
I have a problem with our masquerading firewall: I use the same configuration on two different machines which route for two networks (one SuSE 7.0 kernel 2.2.16 connected to a isdn device and one SuSE 7.1 kernel 2.2.18 acting as ADSL router). The script (which is called by ip-up) is taken from an article in the german computer magazine "ct" (24/00).
On both machines it works quite fine except for two problems:
http: Some websites can't be accessed on Windows98 machines. I don't think it's the MTU problem, I once set it to the correct value [unfortunately I can't check this right now] and most websites can be shown
ftp: Some servers make problems: Either the download always hangs at the last few (kilo)bytes or the ftp server fails to open the data connection (login is possible but connection hangs when doing a "ls").It seems to be a problem with masquerading: in my logfiles I can see that ipchains denies incoming connections from port 20 of the remote ftpserver. The module ip_masq_ftp is loaded and it works without any problems for many other servers.
Incoming connections on port 20 means that active ftp was attempted - it's not an error if the firewall blocks that. Actually I think it should do that. Using the commandline ftp-client on 7.1 I had a similar problem regarding the ls: "data connection already active" and nothing else happend. Typing "epsv4" at the ftp-prompt before issuing any other command took care of that. (Type "help" at the ftp-commandprompt to see the possible commands.)
It would be nice if someone could give me some hints..
Hope it was of some use ...
Björn
--
Dr. Björn Lotz
On Mon, 19 Mar 2001 09:11:26 +0100, you wrote:
ftp: Some servers make problems: Either the download always hangs at the last few (kilo)bytes or the ftp server fails to open the data connection (login is possible but connection hangs when doing a "ls").It seems to be a problem with masquerading: in my logfiles I can see that ipchains denies incoming connections from port 20 of the remote ftpserver. The module ip_masq_ftp is loaded and it works without any problems for many other servers.
Incoming connections on port 20 means that active ftp was attempted - it's not an error if the firewall blocks that. Actually I think it should do that.
Using the commandline ftp-client on 7.1 I had a similar problem regarding the ls: "data connection already active" and nothing else happend. Typing "epsv4" at the ftp-prompt before issuing any other command took care of that. (Type "help" at the ftp-commandprompt to see the possible commands.)
I'm also having problems with ftp and nat. Sorry if this a bit offtopic in this ml. I have a RDSI dial-up connection with a RDSI router (doing NAT). Misteriosly windows NT ftp client works nice while linux (suse 7.0) doesn't. It seems not to be a active/passive problem, since I've tested both modes in linux. It's strange... if anyone has suffered the same behaviour, plz write to me. TIA. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Tue, 20 Mar 2001 09:39:22 +0100, you wrote:
I'm also having problems with ftp and nat. Sorry if this a bit offtopic in this ml. I have a RDSI dial-up connection with a RDSI router (doing NAT). Misteriosly windows NT ftp client works nice while linux (suse 7.0) doesn't. It seems not to be a active/passive problem, since I've tested both modes in linux. It's strange... if anyone has suffered the same behaviour, plz write to me. TIA.
Incredible. I've found the problem. I have just "hacked" TOS field for all ip packets to force all to be 0x00 (normal). This is my fix: iptables -t mangle -A PREROUTING -j TOS --set-tos 0x00 iptables -t mangle -A OUTPUT -j TOS --set-tos 0x00 (2.4.2 kernel with iptables 1.2.1a) (note 1.2.1 was broken!) The PREROUTING command isn't necessary if your linux box is NOT a router. Iptables is nice!!! (chains logical scheme is far away better than ipchains one and it's more powerful. Switch to 2.4 kernel!). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I found module ip_masq_ipsec, insmod'ed that. I get the following logs, and the client complains of 'no answer'. Typical helpful message from Microsoft. Mar 21 21:24:12 dmc12 kernel: ip_masq_ipsec: loading Mar 21 21:25:05 dmc12 kernel: ip_masq_pptp_tcp(): ===myexternal=== -> ===dest=== LEN=516 TY=1460 MC=1010402 Mar 21 21:25:05 dmc12 kernel: ip_masq_pptp_tcp(): not a control pkt Mar 21 21:25:08 dmc12 kernel: ip_masq_pptp_tcp(): ===external=== -> ===dest=== LEN=516 TY=1460 MC=1010402 Mar 21 21:25:08 dmc12 kernel: ip_masq_pptp_tcp(): not a control pkt Mar 21 21:25:14 dmc12 kernel: ip_masq_pptp_tcp(): ===ext=== -> ===dest=== LEN=516 TY=1460 MC=1010402 Mar 21 21:25:14 dmc12 kernel: ip_masq_pptp_tcp(): not a control pkt
participants (5)
-
Bjoern Lotz
-
K Creason
-
Marcel Ritter
-
RoMaN SoFt / LLFB!!
-
Stephan Beirer