/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Hello Everyone, If you have followed the IPMASQ list in the last week or so, I posted a new ALPHA ip_masq_ftp module that supports PORTFW'ed FTP. There were a few issues with it and a few users wanted the ability to add/remove additional non-standard PORFWed FTP ports w/o having to break all existing connections to reload the ip_masq_ftp module. So, Juan has come up with a new module that uses the IPCHAINS MFW mechanism to support PORTFWed FTP and to also make changes on the fly. Testers Needed: --------------- For those of you out there that have the time, PLEASE test this module out... EVEN if you don't need the PORTFW functionality. If this module is stable and works as advertised (should work BETTER than the current stock ip_masq_ftp module), it will be added to the mainstream Linux kernel. Please note that to get things running, you WILL need to use the IPCHAINS MFW mechanism. This mechanism MIGHT NOT be in your currently running Linux kernel. If it isn't, you will need to recompile with the following option: IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) At the moment, I'm not aware if there is a way to see if the MFW support is available in a given kernel. If you know of a way, please let me know. --David #!/bin/sh # # rc.masqfw v0.1 # # Author: Juanjo Ciarlante <[EMAIL PROTECTED]> # 03-Oct-00 # # Setup reverse masquerading (ala portfw) with using firewall mark-ing # _AND_ userspace "redir" support for complete redirection (even local # connects). # # Requirement: # - ipmasqadm http://juanjox.kernelnotes.org/ # . setups kernel mark forwarding) # - redir 2.2.x http://freshmeat.net/search/?q=redir # . setups "local" socket forwarding) # - ip_masq_ftp PATCHED for firewall marking (module parm "in_mark") # . support internal server forwarding for PASV clients) # # Setup: # EXT_IP, EXT_PORT: external (visible) IP address (can be '0') and port. # INT_IP, INT_PORT: internal server address and port # IN_MARK: arbitrary value to use when marking pkts (ipchains -m) # FTP: if not-null activate ftp support # REDIR: path to redir-2.2.x (set to "" to avoid using) export PATH="/sbin:/usr/sbin:$PATH" EXT_IP=192.168.2.16 EXT_PORT=2021 INT_IP=10.1.1.128 INT_PORT=21 IN_MARK=4321 FTP=1 REDIR="/usr/sbin/redir" FW_IPCHAINS="-i eth0 -d $EXT_IP $EXT_PORT -p tcp" PID_FILE="/var/run/redir-$EXT_IP-$EXT_PORT" # seems ascii art... but it runs!! =) # run() { $* || { echo "-> '$*'" return 1 } } get_pid() { test -f $PID_FILE || return 1 typeset pid=`cat $PID_FILE` test -n "$pid" || return 1 kill -0 $pid || return 1 echo $pid } exit_err() { ERR=$1;shift echo $@ >&2 exit $ERR } redir_on() { test -n "$REDIR" || return 1 test -n "$FTP" && REDIR="$REDIR --ftp=both" $SHELL -c 'echo $$ > '"$PID_FILE exec $REDIR \ --laddr $EXT_IP --lport $EXT_PORT \ --caddr $INT_IP --cport $INT_PORT " & } redir_off() { test -n "$REDIR" || return 1 if pid=`get_pid`;then kill $pid rm $PID_FILE fi fuser -k -n tcp $EXT_PORT } case "$1" in start) #run modprobe ip_masq_mfw run ipmasqadm mfw -I -m $IN_MARK -r $INT_IP $INT_PORT if test -n "$FTP";then run modprobe ip_masq_ftp in_mark=$IN_MARK || \ exit_err 1 "Incorrect ftp module version ?" fi run ipchains -m $IN_MARK -I input $FW_IPCHAINS redir_on ;; stop) run ipchains -m $IN_MARK -D input $FW_IPCHAINS if test -n "$FTP";then run rmmod ip_masq_ftp fi run ipmasqadm mfw -D -m $IN_MARK -r $INT_IP $INT_PORT #run ipmasqadm mfw -F #run rmmod ip_masq_mfw redir_off ;; esac [demime 0.97b removed an attachment of type application/octet-stream which had a name of ip_masq-v0.27-for_2.2.18pre9.patch1.gz"; x-mac-type="477A6970"; x-mac-creator="477A6970] .----------------------------------------------------------------------------. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !---- ----! `----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----' _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
