FTP (21) data through Firewall (ipchains)

Neil Pickford neilp at goldweb.com.au
Sun Aug 12 11:33:04 EST 2001

No no-one mentioned this, however I just had a look and I do have 
the ip_masq_ftp module enabled in rc.firewall startup script.

After further reading the HOWTO it seems that this facility 
allows forwarding of external FTP requests to an internal server 
not on the masq machine.  This is not really what i'm trying to do. 

Then again I may be wrong as to the intention of IP_MASQ_FTP.

I am trying to give internal machines access to FTP (off the web)
via the masquerade.  At the moment I am blocking incoming internet 
ftp requests.

Any further advice is appreciated.
Neil Pickford

James Ring wrote:
> Has anybody mentioned the kernel module ip_masq_ftp?
> If you are masquerading your traffic out an interface, then insmod'ing
> the ip_masq_ftp module will mean that FTP to remote hosts just works.
> It's what I use at home.
> Cheers,
> James
> Neil Pickford wrote:
> >Thanks
> >Unfortunately I'm not ready to move to 2.4.x yet.
> >I have decided to create a script to enable and disable
> >the ftp-data ports from 1024:65535 when I need them.
> >
> >Just a bit more hassle.
> >
> >Neil Pickford
> >
> >Martijn van Oosterhout wrote:
> >
> >>On Sat, Aug 11, 2001 at 07:06:58PM +1000, Neil Pickford wrote:
> >>
> >>>Hello
> >>>
> >>>I have been securing up my server an have established an input
> >>>chain where the default is to deny traffic over the dialup connection
> >>>to my ISP.  Previously the default was allow. (ipchains)
> >>>
> >>>I have now punched holes in the input chain for just the services
> >>>(ports) that I am using, however how do I handle allowing FTP data
> >>>connections where I have initiated the FTP connection, but FTP
> >>>chooses a random port number for the data link.
> >>>
> >>Well, one solution is to only allow passive FTP, that's easier to firewall.
> >>The ideal solution is to use iptables, where you can match RELATED
> >>connections, thus solving the problem entirly.
> >>
> >>>I could open up all TCP ports from 4096 to 65535 but I think
> >>>that defeats the purpose of the firewall.
> >>>
> >>You could argue that since no programs listen on those ports normally, they
> >>don't need to be firewalled because any connection to those ports is likely
> >>to be legit (if it succeeds).
> >>
> >>>Can anyone point me in the right direction here?
> >>>
> >>iptables is the real solution, anything else will be a compromise.
> >>
> >>>Slackware 2.2.13 using ipchains and masquerade to a private class C
> >>>Only 1 static IP address in use for the server that is running WWW,
> >>>Caching DNS, XNTPD, SMTP & POP3 (all these are working fine)
> >>>
> >>but iptables is not avaible on 2.2 (unless someone backported it). You could
> >>go for 2.4.
> >>
> >>HTH,
> >>--
> >>Martijn van Oosterhout <kleptog at svana.org>
> >>http://svana.org/kleptog/
> >>
> >>>It would be nice if someone came up with a certification system that
> >>>actually separated those who can barely regurgitate what they crammed over
> >>>the last few weeks from those who command secret ninja networking powers.
> >>>

More information about the linux mailing list