Re: can't ftp through IP Masq
On Tue, Aug 15, 2000 at 08:08:15AM -0700, Stan Kaufman wrote:
> This has been discussed recently on the firewalls listserv. Check out
> http://geocrawler.com/lists/3/Security/90/0/ for a searchable archive;
> think you'll find some answers there. (I personally am still trying to
> figure this out myself, or I'd chime in with the answer myself ;-)
For passive FTP, I use the following ipchains ruleset snippet:
<snippet>
#!/bin/sh
# Definitions
ipchains="$(which ipchains)"
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Default policies for all chains
${ipchains} -P input DENY
${ipchains} -P forward DENY
${ipchains} -P output DENY
# Flush rules
${ipchains} --flush input
${ipchains} --flush forward
${ipchains} --flush output
# Allow returning ftp packets to enter
# Passive FTP is the policy
${ipchains} -A input -p tcp -s 0.0.0.0/0 21 -i ppp0 -j ACCEPT ! -y
${ipchains} -A input -p tcp -s 0.0.0.0/0 --sport 1024:65535 \
--dport 1024:65535 -i ppp0 -j ACCEPT ! -y
# Allow leaving ftp packets to leave
# Passive ftp transfers require this (passive FTP is the policy)
${ipchains} -A output -p tcp -d 0.0.0.0/0 21 -i ppp0 -j ACCEPT
${ipchains} -A output -p tcp -d 0.0.0.0/0 1024:65535 -i ppp0 -j ACCEPT
</snippet>
Is this the correct way of doing this? Anything better? It works, that's
for sure.
Suggestions welcomed. :)
HTH
Sven
--
"[Microsoft] ... guarantees 99.8% NT uptime for certain hard-/software.
That's exactly the 3 minutes daily that my NT server needs to reboot."
-- ZDnet editorial
Reply to: