Re: ftp masq on non standard ports not working

[Raffael Ferenc <raffaelf@ieb.hu>]

On Thu, Mar 21, 2002 at 05:26:23PM -0800, Mike Egglestone wrote:

> Hi,
> 
> I just jumped into iptables. (sid with kernel 2.4.18)
> phew!! what excitment
> Anyway,
> 
> I have masquerading working from private ips so
> that they can surf, but FTP is not working.
> I had this similar problem with IPchains.
> With IPChains, I would edit /etc/ipmasq/modules 
> and unpound the ftp line there. 
> 
> Is there a new way to fix this with iptables?
> and what if the ftp server is servicing on a port other than
> the standard 21?
> 
> Thanks
> 
> Mike

Well, I had the same problem, and tracked down to a very interesting
discovery:

There are 2 ways to establish an ftp connection: active and passive mode.
The only difference is the way to connect to the server after a succesful login
(for example a directory list). In active mode, (after login) you send a PORT
command, which is starting from an unpriv port of the client, and goes to
your (masqed) server port 21. So far so good, it works. However, at the time
the server answers, it is on its port 20 (so it tries to connect back to you!), 
and since the fw hasn't got any idea of the packet, it just masquerades to the 
client, but in this case it means an unpriv-unpriv connection, which is blocked by the fw.

Workaround: definiive passive mode. In passive mode the connection attempt is
done _everytime_ by the client, and so the server resposes are not masqed.
(or at least not to an unidentified port) At a number of ftp servers you have
the possibility to select the passive ports to connect to (I prefer proftpd),
and the ip address it is considering itself to be at.

Frank

PS1: imho the ip_masq_ftp is only working for port 21, so you have to use a
     patched version, or you may use rinetd instead of ipmasqadm.
    
PS2: Of course the ultimate solution would be a packet redirector, which is
     able to rewrite the _source_ port too.
     
Any ideas?