Date: Tue Jun 13 2000 - 19:06:05 EST

Hi there,
My thought.

1. You have long tcp timeout times here - 7200. Don't know if this is an
issue but we run /sbin/ipchains -M -S 3600 0 0.

2. Have you got your reverse/return path blocked or partially blocked for
FTP transactions? Ports 20-21.


>we have a very strange problem with our nat.
>sometimes, when a machine behind the nat tries to ftp into some machine on
>the internet, it will get 421, service not availabe. we know that alot of
>those machines (like has ftp running all the time, and it is
>definitely our problem. and it is a nat problem, because machines which
>bypass the nat do not have the same problem. both windows and linux machines
>are affected. why might this happen? nat masq's everything else, and only
>some ftp sites are unaccessible (we were not able to determine a pattern in
>unaccessible sites either)
>this is what we did to set up masq on the nat:
>/sbin/depmod -a
>/sbin/modprobe ip_masq_ftp
>echo "1" >/proc/sys/net/ipv4/ip_always_defrag
>/sbin/ipchains -M -S 7200 10 160
>ip forwarding is also enabled.
>the nat has two outgoing feeds - t1 and dsl, but there is default route -
>t1 - and we are not running neither routed nor gated.
>so that should take care of masq's, but doesnt for some reason.
>our nat runs RH6.2, kernel 2.2.14-5.0 on intel pentium.
>can anyone help us out with this one? or should there be anymore input data
>on my part?
>Max Gribov
>Systems Engineer
>KPL, inc.
