Re: can't ftp through IP Masq

[Sven Burgener <svenb@bluewin.ch>]

On Tue, Aug 15, 2000 at 08:08:15AM -0700, Stan Kaufman wrote:
> This has been discussed recently on the firewalls listserv. Check out 
> http://geocrawler.com/lists/3/Security/90/0/ for a searchable archive;
> think you'll find some answers there. (I personally am still trying to
> figure this out myself, or I'd chime in with the answer myself ;-)

For passive FTP, I use the following ipchains ruleset snippet:

<snippet>
#!/bin/sh

# Definitions
ipchains="$(which ipchains)"

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Default policies for all chains
${ipchains} -P input DENY
${ipchains} -P forward DENY
${ipchains} -P output DENY

# Flush rules
${ipchains} --flush input
${ipchains} --flush forward
${ipchains} --flush output

# Allow returning ftp packets to enter
# Passive FTP is the policy
${ipchains} -A input -p tcp -s 0.0.0.0/0 21 -i ppp0 -j ACCEPT ! -y
${ipchains} -A input -p tcp -s 0.0.0.0/0 --sport 1024:65535 \
	--dport 1024:65535 -i ppp0 -j ACCEPT ! -y

# Allow leaving ftp packets to leave
# Passive ftp transfers require this (passive FTP is the policy)
${ipchains} -A output -p tcp -d 0.0.0.0/0 21 -i ppp0 -j ACCEPT
${ipchains} -A output -p tcp -d 0.0.0.0/0 1024:65535 -i ppp0 -j ACCEPT
</snippet>

Is this the correct way of doing this? Anything better? It works, that's
for sure.

Suggestions welcomed. :)

HTH
Sven
-- 
"[Microsoft] ... guarantees 99.8% NT uptime for certain hard-/software.
That's exactly the 3 minutes daily that my NT server needs to reboot."
                                                        -- ZDnet editorial