/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Phil Newlon wrote:
> I can't seem to quite get this right, would appreciate input. :-)
>
> I am running an ftp server on a box behind my firewall. I have installed
> ipmasqadm and am loading the ip_masq_ftp module. I cannot get the connection to
> work properly. Here are my rules and the log file with the failure. I feel as
> if there is some reason that the ip_masq_ftp module isn't working, but I really
> don't know......
>
> Thanks! Phil
>
> /sbin/modprobe ip_masq_ftp
>
> # set the policies
> # /sbin/ipchains -P input ACCEPT
> /sbin/ipchains -P input DENY
> /sbin/ipchains -P forward ACCEPT
> /sbin/ipchains -P output ACCEPT
>
> # flush the chains
> /sbin/ipchains -F
>
> # set MASQ timeouts
> /sbin/ipchains -M -S 300 10 60
>
> # find out what the ip address of the interfaces are
> extip="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e
> 's/.*://'`"
> intip="`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e
> 's/.*://'`"
> # NOTE!!! 10.0.0.1 = intip, 4.93.120.13 = extip
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # if it's coming from the inside network and is tcp, accept the packet
> /sbin/ipchains -A input -d 0/0 -i eth1 -p 6 -j ACCEPT
>
> # use ipmasqadm to forward any tcp packet received on the external interface
> /sbin/ipchains -A input -s 0/0 -d $extip ftp -p 6 -y -j ACCEPT -l
> /sbin/ipchains -A input -s 0/0 -d $extip ftp -p 6 -j ACCEPT -l
note: the 2nd rule (above) subsumes the 1st.
>
> /usr/sbin/ipmasqadm portfw -f
> /usr/sbin/ipmasqadm portfw -a -P tcp -L $extip ftp -R 10.0.0.25 ftp
>
> # masquerade packets coming in and going out the firewall as the address
> # of the roadrunner interface
> /sbin/ipchains -A forward -i eth0 -j MASQ
note: many people specify the internal network mask with "-s"
rather than the internal interface with "-i". but no matter.
> Jul 19 14:22:53 fwall kernel: Packet log: input DENY eth0 PROTO=6 16.7.40.5:1945
> 4.93.120.13:2955 L=48 S=0x00 I=12725 F=0x4000 T=111 SYN (#39)
the ftp client here is using passive ftp (i.e. client initiates
both the command channel and the data channel) but the script
does not accept the first incoming data channel packet.
there are two choices: normal ftp or passive ftp.
with normal ftp, the client host is at great risk
because it needs to allow incoming tcp connections
to most ports from all hosts (some of which may be
ftp data channels). this is clearly unacceptable.
with active ftp, the server host is at great risk
because it needs ti allow incoming tcp connections
to most ports from all hosts. this is clearly unacceptable :)
however, there are many more ftp clients than there are
servers so it's the servers that have to accept the risk.
run your ftp server on a victim host if you must run it.
an alternative to a non-public ftp server is rsync[+ssh].
public ftp server hosts must remain vulnerable.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
