Re: ftp & masquarade

To: Joongul Lee <jlee700@freechal.com>
Cc: <debian-firewall@lists.debian.org>
Subject: Re: ftp & masquarade
From: Tzafrir Cohen <tzafrir@technion.ac.il>
Date: Fri, 16 Nov 2001 11:07:26 +0200 (IST)
Message-id: <[🔎] Pine.GSO.4.33_heb2.09.0111161057450.25846-100000@techunix.technion.ac.il>
In-reply-to: <[🔎] E164eHh-00009K-00@chaconne>

On Fri, 16 Nov 2001, Joongul Lee wrote:

> Hello,
>
> I am using a debian testing box as a firewall+masquarade+router. It works
> well for the most part, but somehow ftp from the internal network is giving
> me a problem.
>
> Here's what happens:
> >From the firewall: both "ftp ftp.debian.org" and "links ftp.debian.org" works.
> >From the inside: "ftp ftp.debian.org" works (gives me a login prompt), but
> "links ftp.debian.org" doesn't work ("FTP PORT command failed").
>
> I suppose this means that my firewall doesn't masquarade the passive ftp
> request correctly.
>
> As the following script shows, I have inserted the ip_conntrack_ftp and
> ip_nat_ftp modules, but they show up as unused.

in passive-mode ftp the client opens a new connection to a port on the
server. Therefore no conntrack is required. Active-mode ftp requires some
help from a conntrack module.

I'm not sure about your specific setup, so I can only give you the
standard advice: log every packaet you drop (or at least make this an
optional switch of your script) and see where exactly are pcket droped
when a client is not able to work...

>
> I'd appreciate your advice on what I am doing wrong.
>
> user@firewall:~$ more /etc/init.d/packetfilter
> #! /bin/sh
> # Script to control packet filtering.
>
> case "$1" in
>   start)
>       echo "Turning on packet filtering:"
>
>       modprobe ip_conntrack_ftp
>       modprobe ip_nat_ftp
>
>       iptables -N block
>       iptables -A block -i ! eth1 -s 192.168.1.0/24 -j DROP
>       iptables -A block -i ! lo -s 127.0.0.0/8 -j DROP
>       iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
>       iptables -A block -s 127.0.0.0/8 -m state --state NEW -j ACCEPT
>       iptables -A block -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
>       iptables -A block -j DROP
>
>       iptables -A INPUT -j block
>       iptables -A FORWARD -j block
>
>       iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
>       ;;
>   stop)
>       echo -n "Turning off packet filtering:"
>       iptables -F
>       iptables -X
>       echo "."
>       ;;
>   *)
>       echo "Usage: /etc/init.d/packetfilter {start|stop}"
>       exit 1
>       ;;
> esac
>
> exit 0
>
> user@firewall:~$ /sbin/lsmod
> Module                Size  Used by
> ipt_MASQUERADE        1808   1 (autoclean)
> ipt_state              992   3 (autoclean)
> iptable_filter        2080   0 (autoclean) (unused)
> ip_nat_ftp            3616   0 (unused)
> iptable_nat          16916 1 [ipt_MASQUERADE ip_nat_ftp]
> ip_tables            13680   6 [ipt_MASQUERADE ipt_state iptable_filter
> iptable_nat]
> ip_conntrack_ftp      3988   0 (unused)
> ip_conntrack         17036   3 [ipt_MASQUERADE ipt_state ip_nat_ftp
> iptable_nat ip_conntrack_ftp]
>
>
>

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir

Reply to:

References:
- ftp & masquarade
  - From: Joongul Lee <jlee700@freechal.com>

Prev by Date: ftp & masquarade
Next by Date: How to secure debian 2.2r3
Previous by thread: ftp & masquarade
Next by thread: How to secure debian 2.2r3
Index(es):
- Date
- Thread