[CLUE-Tech] FTP & IPCHAINS

Mon Apr 2 13:46:19 MDT 2001

Hello all,

This is my first post as I am a Linux newbie and I'm getting a little
frustrated and I was hoping some kind soul out there could help me.  I have
set up a Red Hat 7.0 server that serves a FTP server and NAT for my LAN.  So
far I have been able to set up a set of rules that masques my web traffic
but when I try and connect my FTP client from my windows machine I receive
this error: 
COMMAND ->  SYST
REMOTE  ->  UNIX Type: L8
COMMAND ->  REST 100
REMOTE  ->  Restarting at 100. Send STORE or RETRIEVE to initiate transfer.
COMMAND ->  REST 0
REMOTE  ->  Restarting at 0. Send STORE or RETRIEVE to initiate transfer.
COMMAND ->  PWD
REMOTE  ->  "/pub" is current directory.
COMMAND ->  TYPE A
REMOTE  ->  Type set to A.
COMMAND ->  PASV
REMOTE  ->  Entering Passive Mode (216,148,218,202,194,49)
LOCAL   ->  Opening data connection IP: 216.148.218.202 PORT: 49713.
COMMAND ->  LIST
ERROR   ->  Can't open data connection.
REMOTE  ->  Transfer complete.

These are my ipchains rules (eth1 is my DSL connection):
# ftp server #

ipchains -A input  -i eth1 -p tcp  --source-port 1024:65535 -d 216.229.36.27
21 -j ACCEPT 
ipchains -A output -i eth1 -p tcp ! -y -s 216.229.36.27 21
--destination-port 1024:65535 -j ACCEPT 
ipchains -A output -i eth1 -p tcp  -s 216.229.36.27 20 --destination-port
1024:65535 -j ACCEPT 
ipchains -A input  -i eth1 -p tcp ! -y --source-port 1024:65535 -d
216.229.36.27 20 -j ACCEPT 

# ftp client #

/sbin/ipchains -A output -i eth1 -p tcp -s 216.229.36.27 1024: -d 0/0 ftp -j
ACCEPT
/sbin/ipchains -A output -i eth1 -p tcp -s 216.229.36.27 1024: -d 0/0
ftp-data -j ACCEPT
/sbin/ipchains -A output -i eth1 -p tcp ! -y -s 216.229.36.27 1024: -d 0/0
ftp-data -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp ! -y -s 0/0 ftp -d 216.229.36.27
1024: -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp -s 0/0 ftp-data -d 216.229.36.27
1024:5999 -j ACCEPT

Then I receive these errors for a reject policy I have further down in the
rule set:

Apr  2 12:32:19 cartman kernel: Packet log: output REJECT eth1 PROTO=6
216.229.36.27:62376 216.148.218.202:34298 L=48 S=0x00 I=2433 F=0x4000 T=127
SYN (#49)
Apr  2 12:32:22 cartman kernel: Packet log: output REJECT eth1 PROTO=6
216.229.36.27:62376 216.148.218.202:34298 L=48 S=0x00 I=2442 F=0x4000 T=127
SYN (#49)

I also have the same problem when I try and connect to my ftp server from
the outside world. (I do have the ip_masq_ftp mod loaded)

Hope that is not too much info!

Any help is much appreciated,

Marc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 2744 bytes
Desc: not available
Url : http://cluedenver.org/pipermail/clue-tech/attachments/20010402/ff379623/winmail.bin