VanLUG Email Archive
Petar Knezevich (pknezevich@home.com)
Tue, 22 Feb 2000 18:28:33 +0000
I set up a firewall/forwarding machine on I set up a firewall/forwarding machine on Rogers@Home and everything
seems to be working fine except for ftp.
I set up my Red Hat 6.1 system using the example given in Appendix B of
the New Riders book "Linux Firewalls" by Robert L. Ziegler. The system
is a 486/66 with 32MB of RAM and 300MB of available HDD using two AOpen
ISA 10baseT cards. The default ipchains rules are to DENY input and
REJECT output and forward, with all allowed external access being
explicitly ACCEPTed.
I have one machine that is running on the masqueraded LAN and it has no
problems except that ftp will only work if I have it in passive mode.
On this machine I have Red Hat's 5.2 and 6.1 and I get similar problems
in both. When ftp is not in passive mode and I attempt to list the
files, ftp hangs until I kill it (no patience). I get the message that
the data connection could not be established. I just tested ftp again
(in Red Hat 5.2) at ftp.netcom.com and ftp.redhat.com and when I type
"dir" it doesn't hang but now I get the message "500 Illegal PORT
Command". When I ftped to my account at UBC I get the message "200 PORT
command successful" but it hangs there.
I find this odd since I do not have this problem on the firewall machine
itself. This leads me to believe that packets coming back on the normal
data mode are being dropped between the iphcains input rule that accepts
them and the forwarding rule that masquerades the LAN.
I am using a forward everything masquerading rule, using the firewall
ipchians to take care of the access and security for the LAN:
#definitions
EXTERNAL_INTERFACE="eth1"
LAN_1="192.168.1.0/24"
ipchains -A forward -i $EXTERNAL_INTERFACE -S $LAN_1 -j MASQ
I am having some difficulty in debugging this problem and I was hoping
that someone could tell me how to find out what is happening with the
incoming ftp "normal" data mode connection.
Thanks in advance.
P.S. Here are the ipchains for ftp that I am using:
#definitions
IPADDR="my.machines.static.ip"
ANYWHERE="any/0"
UNPRIVPORTS="1024:65535"
# FTP (20, 21) - Allowing Outgoing Client Access to Remote FTP Servers
# --------------------------------------------------------------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# Normal Port Mode FTP Data Channels
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 20 -j ACCEPT
# Passive Mode FTP Data Channels
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPIRVPORTS -j ACCEPT
--
(o- -o)
//\ pknezevich@home.com /\\
v_/_ (I should add something cool here) _\_v
--
This message came to you via the Vancouver Linux Users Group mailing list.
For unsubscription instructions do not email the list, but rather send mail
to <vanlug-request@gweep.bc.ca>.
This archive was generated by hypermail 2.0b3 on Tue 22 Feb 2000 - 18:21:48