Newbie: Weird problem with ftp behind ipchains
From: Jose Navarro (jose.navarroREMOVE_THIS_TEXT@ideg.es)Date: 07/09/02
- Next message: Sullivan John: "firewall recommendation"
- Previous message: : "Re: Symantec firewall and email headers"
- Next in thread: Brad Werschler: "Re: Newbie: Weird problem with ftp behind ipchains"
- Reply: Brad Werschler: "Re: Newbie: Weird problem with ftp behind ipchains"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jose Navarro" <jose.navarroREMOVE_THIS_TEXT@ideg.es> Date: Tue, 9 Jul 2002 17:36:30 +0200
Hi,
I know, this is something that is asked every now and then. But this case is
a little bit different.
I have the following setup:
+----------------+
| Firewall |
| 123.456.789.2 |
| 172.17.101.50 |
+---+---------+--+
| |
| |
+--------------+-+ +---+------------+
| Florida | | Others (LAN) |
| 123.456.789.31 | | |
| 172.17.101.31 | | 172.17.101.xxx |
+----------------+ +----------------+
Legend:
+----------------+
| Computer name |
| Public IP |
| Private IP |
+----------------+
(Sorry for the graphic; please, use Courier to view it correctly)
Note: the public IPs are fictitious.
That is, I have a single firewall and a LAN behind it. All the computers in
the LAN but Florida and the firewall itself have only private IPs. My rules
for ipchains allow for both active and passive connections to ftp servers
(at least, I think so!). Passive connections work pretty well. But this is
not the case for the active ones.
Let's assume we are working in Florida, the computer (besides the firewall)
that has a public IP.
The situation seems to be typical: I can connect (send my user and password)
but as soon as I ask for a directory listing, the connection is rejected by
the ftp server. But what's curious is the clear answer one of the servers
sent me:
500 I won't open a connection to 172.17.101.31 (only to 123.456.789.31)
425 No data connection
(If I use a passive connection, I have no problems to connect to this
server)
Here, I'm puzzled. The server is complaining about Florida's PRIVATE IP!!!
It looks as if, somehow, a packet going to the ftp server wasn't NATted.
I have included an abridged version of my rules at the end of this message.
As you will see. I NAT Florida's private address, give explicit forward
rules for this computer...
Can you tell me what's wrong? I'm not the one who set up this firewall and
I'm just learning to configure it...
Any help will be DEEPLY appreciated!
Note: the rest of computers in the LAN are MASQued. And the problem is still
there. See the file with the rules...
Jose
----- The rules are here ------
#!/bin/sh
ANYWHERE=0.0.0.0/0
EXT_IF=eth0
INT_IF=eth1
INTNET=172.17.0.0/16
# forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Remove previous rules.
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
# Set the default policies. Input and forward: DENY. Output: ACCEPT.
/sbin/ipchains -v -P input DENY
/sbin/ipchains -v -P forward DENY
/sbin/ipchains -v -P output ACCEPT
# BEGIN NAT ------------------------------------------------------------
/usr/sbin/ip route add nat 123.456.789.31 via 172.17.101.31 table local
/usr/sbin/ip rule add from 172.17.101.31 nat 123.456.789.31 table main
# END NAT ---------------------------------------------------------------
# Give the LAN access to the firewall.
ipchains -A input -i INT_IF -s $INTNET -d $ANYWHERE -j ACCEPT
# BEGIN COMPUTER FLORIDA -------------------------------------------------
# --- Begin FTP ---
ipchains -A output -i EXT_IF -p tcp -s 123.456.789.31 1024: -d $ANYWHERE
21 -j ACCEPT
ipchains -A input -i EXT_IF -p tcp ! -y -s $ANYWHERE 21 -d 123.456.789.31
1024: -j ACCEPT
ipchains -A input -i EXT_IF -p tcp -s $ANYWHERE 20 -d 123.456.789.31
1024: -j ACCEPT
ipchains -A output -i EXT_IF -p tcp ! -y -s 123.456.789.31 1024: -d
$ANYWHERE 20 -j ACCEPT
ipchains -A output -i EXT_IF -p tcp -s 123.456.789.31 1024: -d $ANYWHERE
1024: -j ACCEPT
ipchains -A input -i EXT_IF -p tcp ! -y -s $ANYWHERE 1024: -d
123.456.789.31 1024: -j ACCEPT
# --- End FTP ---
# --- Begin forwarding ---
ipchains -A forward -p all -d 172.17.101.31 -j ACCEPT
ipchains -A forward -p all -d 123.456.789.31 -j ACCEPT
ipchains -A forward -p all -s 123.456.789.31 -j ACCEPT
# --- End forwarding ---
# END COMPUTER FLORIDA ----------------------------------------------------
# BEGIN OTHER COMPUTERS IN THE LAN -----------------------------------------
#
# Many rules have been removed here... Leaving only the masquerading.
#
# Begin masquerade (for other computers in the LAN)
ipchains -A forward -p all -i $EXT_IF -s $INTNET -d $ANYWHERE -j MASQ
# END OTHER COMPUTERS IN THE LAN -------------------------------------------
# BEGIN DENY SECTION -------------------------------------------------------
# Anything not explicitly allowed before is rejected and logged.
ipchains -A input -j DENY -l
ipchains -A forward -j DENY -l
# END DENY SECTION ---------------------------------------------------------
- Next message: Sullivan John: "firewall recommendation"
- Previous message: : "Re: Symantec firewall and email headers"
- Next in thread: Brad Werschler: "Re: Newbie: Weird problem with ftp behind ipchains"
- Reply: Brad Werschler: "Re: Newbie: Weird problem with ftp behind ipchains"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
