/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hi
I am using Redhat 6.1, kernel 2.2.12-20, ipchains 1.3.9-3 and ipmasqadm
0.4.2-3
I have setup masquarading for our internal network and port forwarding for
internal mail and ftp services. I have no problem with mail, but I have an
intermittent ftp problem: -
When I ftp from outside normally, the firewall forwards the ftp packets to
the internal ftp server and everything works fine. Also, I can use ftp
internally using the internal address.
We use ftp for replicating databases to our main DB server (Sybase SQL
Anywhere).
The problem is that intermittently, a remote server encounters a 'unknown
fatal socket error' and some transactions are not replicated. The Sybase
controls the ftp internally and it is set to 'passive' mode. If I try the
'active' switch the ftp hangs after an initial Sybase message.
I suspect that the problem is in the port forwarding to the internal ftp
server. I originally had kernel 2.0 .. something .. and although I could ftp
normally OK, within the Sybase program It would cause a 'unknown fatala
socket error' instantly. When I installed 2.2 kernel, the problem seemed to
go away .. until I found that it still had intermittent ' unknown fatal
socket errors'
Here is firewall script:
#!/bin/sh
# load ip masquerading modules
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_portfw
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
ipchains -F
ipchains -P forward ACCEPT
# hide internal network
ipchains -A forward -s 192.168.1.0/24 -j MASQ
ipchains -A forward -s 192.168.111.0/24 -j MASQ
ipchains -A forward -s 192.168.100.0/24 -j MASQ
# allow all PING packets thru
ipchains -A forward -p icmp -j DENY
# allow anything from the INTERNAL NETWORK to go out and come back in
ipchains -A forward -s 192.168.1.0/24 -j ACCEPT
ipchains -A forward -d 192.168.1.0/24 -p tcp ! -y -j ACCEPT
# allow anything from the FIRST DIALIN network to go out and come back in
ipchains -A forward -s 192.168.111.0/24 -j ACCEPT
ipchains -A forward -d 192.168.111.0/24 -p tcp ! -y -j ACCEPT
# allow anything from the SECOND DIALIN network to go out and come back in
ipchains -A forward -s 192.168.100.0/24 -j ACCEPT
ipchains -A forward -d 192.168.100.0/24 -p tcp ! -y -j ACCEPT
route add default gw 210.9.115.62
# add routes to the radius dialin
route add -net 192.168.111.0/24 gw 192.168.1.249 metric 1
route add -net 192.168.100.0/24 gw 192.168.1.250 metric 1
route add -net 200.1.2.0/24 gw 192.168.1.250 metric 1
# map internet address/port to internal address/port
ipmasqadm portfw -f
ipmasqadm portfw -a -P tcp -L 210.9.115.50 smtp -R 192.168.1.252 smtp
ipmasqadm portfw -a -P tcp -L 210.9.115.50 pop-3 -R 192.168.1.252 pop-3
ipmasqadm portfw -a -P tcp -L 210.9.115.50 ftp -R 192.168.1.67 ftp
ipmasqadm portfw -a -P tcp -L 210.9.115.50 ftp-data -R 192.168.1.67 ftp-data
ipmasqadm portfw -a -P tcp -L 210.9.115.50 www -R 192.168.1.240 www
Thanks, Newman
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
