[CLUE-Tech] FTP & IPCHAINS

Dan Harris coronadh at coronasolutions.com
Mon Apr 2 14:23:28 MDT 2001 

Marc,

I've had similar problems when trying to enable FTP services through other port
forwarding methods.  I think that ip_masq and the like aren't happy using PASV
mode.  I wish that I had a good answer for you, what I ended up doing was
enabling FTP on the gateway box and using a protected NFS share as a "back
door".  But I know this may not be an option for you.  

Just wanted to let you know that I don't think it's anything you are doing
wrong.  I think FTP just doesn't like port forwarding.

Dan Harris
Corona Solutions

Marc Brashear wrote:
> 
> Hello all,
> 
> This is my first post as I am a Linux newbie and I'm getting a little
> frustrated and I was hoping some kind soul out there could help me.  I have
> set up a Red Hat 7.0 server that serves a FTP server and NAT for my LAN.  So
> far I have been able to set up a set of rules that masques my web traffic
> but when I try and connect my FTP client from my windows machine I receive
> this error:
> COMMAND ->  SYST
> REMOTE  ->  UNIX Type: L8
> COMMAND ->  REST 100
> REMOTE  ->  Restarting at 100. Send STORE or RETRIEVE to initiate transfer.
> COMMAND ->  REST 0
> REMOTE  ->  Restarting at 0. Send STORE or RETRIEVE to initiate transfer.
> COMMAND ->  PWD
> REMOTE  ->  "/pub" is current directory.
> COMMAND ->  TYPE A
> REMOTE  ->  Type set to A.
> COMMAND ->  PASV
> REMOTE  ->  Entering Passive Mode (216,148,218,202,194,49)
> LOCAL   ->  Opening data connection IP: 216.148.218.202 PORT: 49713.
> COMMAND ->  LIST
> ERROR   ->  Can't open data connection.
> REMOTE  ->  Transfer complete.
> 
> These are my ipchains rules (eth1 is my DSL connection):
> # ftp server #
> 
> ipchains -A input  -i eth1 -p tcp  --source-port 1024:65535 -d 216.229.36.27
> 21 -j ACCEPT
> ipchains -A output -i eth1 -p tcp ! -y -s 216.229.36.27 21
> --destination-port 1024:65535 -j ACCEPT
> ipchains -A output -i eth1 -p tcp  -s 216.229.36.27 20 --destination-port
> 1024:65535 -j ACCEPT
> ipchains -A input  -i eth1 -p tcp ! -y --source-port 1024:65535 -d
> 216.229.36.27 20 -j ACCEPT
> 
> # ftp client #
> 
> /sbin/ipchains -A output -i eth1 -p tcp -s 216.229.36.27 1024: -d 0/0 ftp -j
> ACCEPT
> /sbin/ipchains -A output -i eth1 -p tcp -s 216.229.36.27 1024: -d 0/0
> ftp-data -j ACCEPT
> /sbin/ipchains -A output -i eth1 -p tcp ! -y -s 216.229.36.27 1024: -d 0/0
> ftp-data -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p tcp ! -y -s 0/0 ftp -d 216.229.36.27
> 1024: -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p tcp -s 0/0 ftp-data -d 216.229.36.27
> 1024:5999 -j ACCEPT
> 
> Then I receive these errors for a reject policy I have further down in the
> rule set:
> 
> Apr  2 12:32:19 cartman kernel: Packet log: output REJECT eth1 PROTO=6
> 216.229.36.27:62376 216.148.218.202:34298 L=48 S=0x00 I=2433 F=0x4000 T=127
> SYN (#49)
> Apr  2 12:32:22 cartman kernel: Packet log: output REJECT eth1 PROTO=6
> 216.229.36.27:62376 216.148.218.202:34298 L=48 S=0x00 I=2442 F=0x4000 T=127
> SYN (#49)
> 
> I also have the same problem when I try and connect to my ftp server from
> the outside world. (I do have the ip_masq_ftp mod loaded)
> 
> Hope that is not too much info!
> 
> Any help is much appreciated,
> 
> Marc
> 
>   --------------------------------------------------------------------------------
>                   Name: winmail.dat
>    winmail.dat    Type: DAT File (application/x-unknown-content-type-DAT_auto_file)
>               Encoding: base64


-- 


--------------------

"37% of all your base are belong to IRS"

http://drivefaster.net/dan

93 GSX
96 GST
00 GT

More information about the clue-tech mailing list