[NCLUG] debugging ftp iptables

[Chris]

Matt,

I've honestly never had to deal with MTU problems, my routers have always gracefully handled everything, DF marks or not.  576 is interesting though, it's 1001000000 in binary.

Your fw masq doesn't need a dnat unless you're forwarding specific ports to other places on your LAN. The NAT handles it all on its own when you masq egress traffic.

A state-full fw might call ICMP packets within the same sequence as related, but other than that possibility ICMP packets are not "related" to FTP packets.

If you're comfortable sending me your iptables configuration off-list, I'll gladly glance over it.  Feel free to mark out private information.

Chris


________________________________
 From: Matt Rosing <rosing at peakfive.com>
To: nclug at nclug.org 
Sent: Thursday, January 24, 2013 5:20 PM
Subject: Re: [NCLUG] debugging ftp iptables
 
First of all, sorry about sending all the extra stuff in my last email. 
Kind of like the first time I did mail with r instead of R, and it went 
to the entire university. I've been very careful with reply all ever since.

Anyway, someone else pointed out to me that if a packet is fragmented 
and the server doesn't like it it will send back an ICMP packet with a 
Too Big code. I don't think my firewall forwards ICMP packets. What is 
involved in forwarding icmp packets?

Currently my iptables has POSTROUTING MASQUARADE all protocols but only 
has PREROUTING DNAT for the tcp protocol. Should that be all protocols, too?

Also, my FORWARD chain accepts all protocols coming in from the outside 
if they are RELATED, ESTABLISHED. Is it safe to assume that once my ftp 
client starts talking to the server that the icmp packet is part of the 
connection?

Thanks,

Matt
_______________________________________________
NCLUG mailing list      NCLUG at lists.nclug.org

To unsubscribe, subscribe, or modify 
your settings, go to: 
http://lists.nclug.org/mailman/listinfo/nclug