[NCLUG] iptables, ftp, windows8

Matt Rosing rosing at peakfive.com
Tue Jan 8 13:03:38 MST 2013 

I can't upload files from a windows 8 application that uses ftp. It 
worked fine under windows 7. I can upload fine using ftp on my linux box 
that is on the same network. I tried active and passive and it doesn't 
change anything on either machine.

I noticed some packets are being denied in my firewall from the server 
address. Those are all input and not forward packets. I would think that 
the packets that were dropped should have been forwarded to the windows8 
machine.

Any ideas?

my firewall uses
modprobe nf_conntrack_ftp
modprobe nf_nat_ftp

The server is running windows.

I turned on tracing for everything to and from the ftp server's address. 
Here are the last few packets before the first packet is denied. All the 
windows and ports in the dropped packet have corresponding values in the 
packets that went through.

...
Out: IN=eth0 OUT=eth2 SRC=windows8 DST=server LEN=40 PREC=0x00 TTL=127 
ID=3526 DF PROTO=TCP SPT=49364 DPT=3359 WINDOW=256 RES=0x00 ACK FIN

In:  IN=eth2 OUT=eth0 SRC=server DST=windows8 LEN=52 PREC=0x20 TTL=124 
ID=17521 DF PROTO=TCP SPT=3359 DPT=49364 WINDOW=65535 RES=0x00 ACK

Out: IN=eth0 OUT=eth2 SRC=windows8 DST=server LEN=40 PREC=0x00 TTL=127 
ID=3527 PROTO=TCP SPT=49362 DPT=21 WINDOW=254 RES=0x00 ACK

Out: IN=eth0 OUT=eth2 SRC=windows8 DST=server LEN=596 PREC=0x00 TTL=127 
ID=3528 PROTO=TCP SPT=49364 DPT=3359 WINDOW=256 RES=0x00 ACK

In:  IN=eth2 OUT=eth0 SRC=server DST=windows8 LEN=44 PREC=0x20 TTL=28 
ID=0 PROTO=TCP SPT=3359 DPT=49364 WINDOW=256 RES=0x00 RST

Out: IN=eth0 OUT=eth2 SRC=windows8 DST=server LEN=40 PREC=0x00 TTL=127 
ID=3529 PROTO=TCP SPT=49362 DPT=21 WINDOW=254 RES=0x00 ACK FIN

In:  IN=eth2 OUT=eth0 SRC=server DST=windows8 LEN=82 PREC=0x20 TTL=124 
ID=17523 DF PROTO=TCP SPT=21 DPT=49362 WINDOW=65430 RES=0x00 ACK PSH

Out: IN=eth0 OUT=eth2 SRC=windows8 DST=server LEN=40 PREC=0x00 TTL=127 
ID=3530 PROTO=TCP SPT=49362 DPT=21 WINDOW=0 RES=0x00 ACK RST

**INPUTs** IN=eth2 OUT= MAC=... SRC=server DST=gateway LEN=40 PREC=0x20 
TTL=125 ID=17524 DF PROTO=TCP SPT=3359 DPT=49364 WINDOW=65535 RES=0x00 
ACK FIN

iptables INPUT DENIED IN=eth2 OUT= MAC=... SRC=server DST=gateway LEN=40 
PREC=0x20 TTL=125 ID=17524 DF PROTO=TCP SPT=3359 DPT=49364 WINDOW=65535 
RES=0x00 ACK FIN

Thanks,

Matt

More information about the NCLUG mailing list