Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood

Patrick McHardy <kaber@xxxxxxxxx> · Tue, 27 May 2008 09:39:31 +0200

Filippo Zeus wrote:

Considering ftp-control port is text based i've dumped with -A switch. I 

hope it's ok

03:05:59.149005 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1:71(70) 

ack 1 win 46

2.P.?......L.1...P....`..220 FTP Server ready. Please use FTP-TLS or 

login wi

03:05:59.149078 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 71 win 

1024

2....1.....M.P.......+

03:05:59.149759 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1:11(10) 

ack 71 win 1024

2....1.....M.P.......AUTH TLS

03:05:59.700919 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 11 win 46
2.P.?......M.1...P.......

03:05:59.700939 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 71:96(25) 

ack 11 win 46

2.P.?......M.1...P...O...234 AUTH TLS successful

03:05:59.701036 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 96 win 

1024

2....1.....M4P.......+

03:05:59.706276 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 11:95(84) 

ack 96 win 1024

2....1.....M4P...L.......O...K..H;^w.i} ..\*.+....'b..]...5`.O....$.3.E.9

03:06:00.416441 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 

1516:1666(150) ack 95 win 46

2.P.?......R.1...P....[...)E..5O......tsp.+).)..W[H..u.)IP..&....XZr...~.<... 

Its a bit hard to read, but this looks like your client also
encrypts the control connection, which explains why FTP
conntrack doesn't work.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html