Hey Joel- On a 2.4 kernelled firewall, you will want to do the following:
* insmod ip_nat_ftp (this will load a couple others like ip_conntrack_ftp) * iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT The first one loads a special module designed to handle the intricacies of FTP. The second line allows established and related traffic. While this is a big design step, it uses connection-tracking instead of blunt "reply" rules to create a tighter and cleaner ruleset. Active FTP doesn't just use port 20 and port 21. It uses 21 as the destination port on the FTP server, then the server originates the data connection back to the client using the SOURCE port of 20 and an undefined destination port on the client (which is agreed upon by the client and server using the control channel on port 21). I believe the RELATED state also catches the "TCP High Port" connection used in Passive mode, so long as you have loaded the ip_nat_ftp module. Matt On Wed, 9 Jul 2003 19:40:37 -0400 Joel Hammer <[EMAIL PROTECTED]> wrote: > I want to be able to ftp to a linux box behind a firewall linux box from > the outside. I need to configure the ftp server and the firewall. > > I assume, since the "outside" client is also behind a firewall, I may be > using passive mode for the transfer. I am using ipchains and ipmasqadm. I > am running an ftp server on the firewall linux box, too. This ftp server > on the firewall box is using ports 20 and 21. > > In the active transfer mode, it seems straightforward to have the > outside client ftp to a special command port, say port 27 instead of > 21. I can set up the firewall linux box to send all requests on port 27 > to my ftp server behind the firewall to the usual command port. But, > here is where where I need help. How do I tell the client what the data > port is on the server? Does the ftp server send the data port back as a > data packet, or does the ftp client assume the data port number is the > port on the server making the connection to the client's data port? Could > ipmasqadm simply switch outgoing port numbers? > > > The second question is for passive mode. Here, the ftp server sends back the > temporary port to use for data transfers. There is supposed to be a way to > restrict which ports are sent back by the server. However, the method > suggested is changing an include file and, I suppose, recompiling the ftp > daemon. Is there a configuration file which would do this? > Could I just edit the binary file, assuming I could find the current port > ranges in the binary file? Sounds hard, since it will be numbers, not > strings. > > Any insights appreciated, > > Joel > > > _______________________________________________ > Linux-users mailing list > [EMAIL PROTECTED] > Unsubscribe/Suspend/Etc -> > http://www.linux-sxs.org/mailman/listinfo/linux-users -- Matthew Carpenter [EMAIL PROTECTED] http://www.eisgr.com/ Enterprise Information Systems *Network Service Appliances *Network Consulting, Integration & Support *Web Development and E-Business _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
