[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: ftp and ipmasq portfw

I think I am confused.
Can you ftp to anywhere from a masquerading machine at work?  From my experience,
you have to install ip_masq_ftp.o on the server doing NAT (masquerading) if you want
to FTP from inside through it.  I assume your port-forwading works since you can
establish FTP connection from your NAT server to the home machine.
-----Original Message-----
From: Tijl Schoonenberg [mailto:tschoone@chello.nl]
Sent: Thursday, February 15, 2001 1:26 PM
To: debian-firewall@lists.debian.org
Subject: Re: ftp and ipmasq portfw

Is the only thing that should be needed #insmod ip_masq_ftp, or are there any further things to do? I'm asking this because I tried to load the module already (forgot to mention that in my message). It loaded, but I still couldn't connect to my server after that. I tried it with the ipmasq-rule being applied, and also after having deleted the same rule.
----- Original Message -----
From: Bao Ha
Sent: Thursday, February 15, 2001 7:04 PM
Subject: RE: ftp and ipmasq portfw

You need to load the module ip_masq_ftp.o!
-----Original Message-----
From: Tijl Schoonenberg [mailto:tschoone@chello.nl]
Sent: Thursday, February 15, 2001 1:02 PM
To: debian-firewall@lists.debian.org
Subject: ftp and ipmasq portfw

I am a system administrator, and we're using a linux-firewall with ipchains and masquerading. I have this ftp-server at home that I'm also using for work. At first I just had a windows2k workstation at home, directly connected to the internet. So I just could set passive mode on my workstation overhere at work (192.168.what.ever) and my server accepted the portcommands I gave.
Due to those killing securityholes I decided to install a linux-firewall. I installed ipchains and masquerading and did the following to my firewall-script:
    /sbin/ipmasqadm -a -P tcp -L $real_ip 80 -R $webserver_local_ip 80
Of course that works without any problems, I mean I can connect from the LAN overhere to my local webserver overthere, using the address of our firewall.
Then I added the following line for being able to access the ftp-server:
    /sbin/ipmasqadm -a -P tcp -L $real_ip 21 -R $ftpserver_local_ip 21
When I try to login from our firewall (work) to my local server at home everything works fine, the portforwarding does its job perfectly. Though whenever I try to connect to my local server from a masqueraded machine (that is a machine with IP 192.168.what.ever, and set to passive mode for transfers) it doesn't work. It lets me login, so asks for a username and a password, but when I issue the 'ls' or the 'dir' command at that moment, which is actually causing a transfer, it times out on a windows machine. On a linux machine (for example our mailserver) it gives me a 'somehow' better description: [ftp_local_ip]: no route to host
hmmm, now that seems natural... Of course my machine can't find that ip, not even to mention some server with that identification, but I'm wondering why it tries to reroute me locally to a non-existing IP and not to my IP given by my isp.
Anyone knows what I'm doing wrong, is this some basic stuff (I wouldn't be surprised, pretty new to linux-firewalling) or is this a well-known problem?
Any help would be greatly appreciated :)
Tijl Schoonenberg
note: fw@work is running RH6.2/Kernel2.2.16-3; fw@home is running Debian 2.2/Kernel2.2.17 (from dist-cd)

Reply to: