ftp & masquarade
Hello,
I am using a debian testing box as a firewall+masquarade+router. It works
well for the most part, but somehow ftp from the internal network is giving
me a problem.
Here's what happens:
>From the firewall: both "ftp ftp.debian.org" and "links ftp.debian.org" works.
>From the inside: "ftp ftp.debian.org" works (gives me a login prompt), but
"links ftp.debian.org" doesn't work ("FTP PORT command failed").
I suppose this means that my firewall doesn't masquarade the passive ftp
request correctly.
As the following script shows, I have inserted the ip_conntrack_ftp and
ip_nat_ftp modules, but they show up as unused.
I'd appreciate your advice on what I am doing wrong.
user@firewall:~$ more /etc/init.d/packetfilter
#! /bin/sh
# Script to control packet filtering.
case "$1" in
start)
echo "Turning on packet filtering:"
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -N block
iptables -A block -i ! eth1 -s 192.168.1.0/24 -j DROP
iptables -A block -i ! lo -s 127.0.0.0/8 -j DROP
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -s 127.0.0.0/8 -m state --state NEW -j ACCEPT
iptables -A block -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
iptables -A block -j DROP
iptables -A INPUT -j block
iptables -A FORWARD -j block
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
;;
stop)
echo -n "Turning off packet filtering:"
iptables -F
iptables -X
echo "."
;;
*)
echo "Usage: /etc/init.d/packetfilter {start|stop}"
exit 1
;;
esac
exit 0
user@firewall:~$ /sbin/lsmod
Module Size Used by
ipt_MASQUERADE 1808 1 (autoclean)
ipt_state 992 3 (autoclean)
iptable_filter 2080 0 (autoclean) (unused)
ip_nat_ftp 3616 0 (unused)
iptable_nat 16916 1 [ipt_MASQUERADE ip_nat_ftp]
ip_tables 13680 6 [ipt_MASQUERADE ipt_state iptable_filter
iptable_nat]
ip_conntrack_ftp 3988 0 (unused)
ip_conntrack 17036 3 [ipt_MASQUERADE ipt_state ip_nat_ftp
iptable_nat ip_conntrack_ftp]
Reply to: