Re: can't ftp through IP Masq
I only had one ipchains rule to turn it on, and added another to prevent
timeout on secondary ftp connections, but I don't really understand it all
yet. I might try the script below, though. What do you name it, and where
do you put it so it gets read?
(Nice footer, BTW.)
John
On Tue, 15 Aug 2000, Sven Burgener wrote:
> For passive FTP, I use the following ipchains ruleset snippet:
>
> <snippet>
> #!/bin/sh
>
> # Definitions
> ipchains="$(which ipchains)"
>
> # Enable IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Default policies for all chains
> ${ipchains} -P input DENY
> ${ipchains} -P forward DENY
> ${ipchains} -P output DENY
>
> # Flush rules
> ${ipchains} --flush input
> ${ipchains} --flush forward
> ${ipchains} --flush output
>
> # Allow returning ftp packets to enter
> # Passive FTP is the policy
> ${ipchains} -A input -p tcp -s 0.0.0.0/0 21 -i ppp0 -j ACCEPT ! -y
> ${ipchains} -A input -p tcp -s 0.0.0.0/0 --sport 1024:65535 \
> --dport 1024:65535 -i ppp0 -j ACCEPT ! -y
>
> # Allow leaving ftp packets to leave
> # Passive ftp transfers require this (passive FTP is the policy)
> ${ipchains} -A output -p tcp -d 0.0.0.0/0 21 -i ppp0 -j ACCEPT
> ${ipchains} -A output -p tcp -d 0.0.0.0/0 1024:65535 -i ppp0 -j ACCEPT
> </snippet>
>
> Is this the correct way of doing this? Anything better? It works, that's
> for sure.
>
> Suggestions welcomed. :)
>
> HTH
> Sven
> --
> "[Microsoft] ... guarantees 99.8% NT uptime for certain hard-/software.
> That's exactly the 3 minutes daily that my NT server needs to reboot."
> -- ZDnet editorial
>
Reply to: