/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Here are the chains that I use to allow port style access to my server.
Basically stock stuff from TrinityOS (thanks DR).
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP
ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP
ftp-data
echo " - Enabling all input REPLY (TCP/UDP) traffic on high ports."
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP
$UNPRIVPORTS
echo " Optional parameter: FTP server"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d
$UNIVERSE
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d
$UNIVERSE
While we're at it though...I have my own question that I can't seem to get
an answer to. I have an internal server that I am trying to portforward ftp
traffic to and it's not working. I think because I'm sending traffic from
port 2001 to the internal server and missing out on the ftp data that's
going to port 20. Does anyone know how to do this. Basically I just need
to forward data through my server to the internal ftp-server, BUT I can't
use ports 20 or 21, since I have an anonymous ftp server running on those
ports.
any help would be appreciated.
carl
-----Original Message-----
From: Jack Lauman [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 12:10 PM
To: [EMAIL PROTECTED]
Subject: [Masq] ipchains and FTP Server
/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
I am using the following script for FTP access. I can't seem to get it
to work correctly. Users neet to be able to have access to update their
web sites from the Internet (eth0) and I need access from the private
network (eth1). I would appreciate any help in resolving this issue.
Thanks in advance,
Jack
# ------------------------------------------------------------------
# FTP client (20, 21)
# -------------------
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 21 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 21 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# PORT mode data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 20 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 20 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# PASSIVE mode data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
Log file from WS-FTP when connecting to RedHat:
(I'm not sure what the illegal port is.)
connecting to 63.240.14.69:21
Connected to 63.240.14.69 port 21
220 "Red Hat FTP server ready. All transfers are logged, please have a
nice day."
USER anonymous
331 Guest login ok, send your complete e-mail address as password.
PASS (hidden)
230 Guest login ok, access restrictions apply.
PWD
257 "/" is current directory.
SYST
215 UNIX Type: L8
Host type (S): UNIX (standard)
PORT 192,168,1,11,18,254
500 Illegal PORT Command
! Failed "port":
! Retrieve of directory listing failed (0)
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
