Re: Newbie: Weird problem with ftp behind ipchains
From: Brad Werschler (OptimusPrime@Transformers.ca)Date: 07/10/02
- Next message: : "Re: Kerio and XP"
- Previous message: Nick: "Re: Critiquing Software Fire Walls"
- In reply to: Jose Navarro: "Newbie: Weird problem with ftp behind ipchains"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Brad Werschler <OptimusPrime@Transformers.ca> Date: Tue, 09 Jul 2002 23:52:14 GMT
Jose Navarro wrote:
> Hi,
>
> I know, this is something that is asked every now and then. But this case
> is a little bit different.
>
> I have the following setup:
>
>
>
> +----------------+
> | Firewall |
> | 123.456.789.2 |
> | 172.17.101.50 |
> +---+---------+--+
> | |
> | |
> +--------------+-+ +---+------------+
> | Florida | | Others (LAN) |
> | 123.456.789.31 | | |
> | 172.17.101.31 | | 172.17.101.xxx |
> +----------------+ +----------------+
>
>
> Legend:
>
> +----------------+
> | Computer name |
> | Public IP |
> | Private IP |
> +----------------+
>
> (Sorry for the graphic; please, use Courier to view it correctly)
>
> Note: the public IPs are fictitious.
>
> That is, I have a single firewall and a LAN behind it. All the computers
> in the LAN but Florida and the firewall itself have only private IPs. My
> rules for ipchains allow for both active and passive connections to ftp
> servers (at least, I think so!). Passive connections work pretty well. But
> this is not the case for the active ones.
>
> Let's assume we are working in Florida, the computer (besides the
> firewall) that has a public IP.
>
> The situation seems to be typical: I can connect (send my user and
> password) but as soon as I ask for a directory listing, the connection is
> rejected by the ftp server. But what's curious is the clear answer one of
> the servers sent me:
>
> 500 I won't open a connection to 172.17.101.31 (only to 123.456.789.31)
> 425 No data connection
>
> (If I use a passive connection, I have no problems to connect to this
> server)
>
> Here, I'm puzzled. The server is complaining about Florida's PRIVATE IP!!!
> It looks as if, somehow, a packet going to the ftp server wasn't NATted.
>
> I have included an abridged version of my rules at the end of this
> message. As you will see. I NAT Florida's private address, give explicit
> forward rules for this computer...
>
> Can you tell me what's wrong? I'm not the one who set up this firewall and
> I'm just learning to configure it...
>
> Any help will be DEEPLY appreciated!
>
> Note: the rest of computers in the LAN are MASQued. And the problem is
> still there. See the file with the rules...
>
> Jose
>
> ----- The rules are here ------
>
> #!/bin/sh
> ANYWHERE=0.0.0.0/0
> EXT_IF=eth0
> INT_IF=eth1
> INTNET=172.17.0.0/16
>
> # forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Remove previous rules.
>
> /sbin/ipchains -F input
> /sbin/ipchains -F output
> /sbin/ipchains -F forward
>
> # Set the default policies. Input and forward: DENY. Output: ACCEPT.
>
> /sbin/ipchains -v -P input DENY
> /sbin/ipchains -v -P forward DENY
> /sbin/ipchains -v -P output ACCEPT
>
> # BEGIN NAT ------------------------------------------------------------
>
> /usr/sbin/ip route add nat 123.456.789.31 via 172.17.101.31 table local
> /usr/sbin/ip rule add from 172.17.101.31 nat 123.456.789.31 table main
>
> # END NAT ---------------------------------------------------------------
>
> # Give the LAN access to the firewall.
>
> ipchains -A input -i INT_IF -s $INTNET -d $ANYWHERE -j ACCEPT
>
>
> # BEGIN COMPUTER FLORIDA -------------------------------------------------
>
> # --- Begin FTP ---
> ipchains -A output -i EXT_IF -p tcp -s 123.456.789.31 1024: -d $ANYWHERE
> 21 -j ACCEPT
> ipchains -A input -i EXT_IF -p tcp ! -y -s $ANYWHERE 21 -d 123.456.789.31
> 1024: -j ACCEPT
>
> ipchains -A input -i EXT_IF -p tcp -s $ANYWHERE 20 -d 123.456.789.31
> 1024: -j ACCEPT
> ipchains -A output -i EXT_IF -p tcp ! -y -s 123.456.789.31 1024: -d
> $ANYWHERE 20 -j ACCEPT
>
> ipchains -A output -i EXT_IF -p tcp -s 123.456.789.31 1024: -d $ANYWHERE
> 1024: -j ACCEPT
> ipchains -A input -i EXT_IF -p tcp ! -y -s $ANYWHERE 1024: -d
> 123.456.789.31 1024: -j ACCEPT
>
> # --- End FTP ---
>
> # --- Begin forwarding ---
>
> ipchains -A forward -p all -d 172.17.101.31 -j ACCEPT
> ipchains -A forward -p all -d 123.456.789.31 -j ACCEPT
> ipchains -A forward -p all -s 123.456.789.31 -j ACCEPT
>
> # --- End forwarding ---
>
> # END COMPUTER FLORIDA
> # ----------------------------------------------------
>
> # BEGIN OTHER COMPUTERS IN THE LAN
> # -----------------------------------------
>
> #
> # Many rules have been removed here... Leaving only the masquerading.
> #
>
> # Begin masquerade (for other computers in the LAN)
>
> ipchains -A forward -p all -i $EXT_IF -s $INTNET -d $ANYWHERE -j MASQ
>
> # END OTHER COMPUTERS IN THE LAN
> # -------------------------------------------
>
> # BEGIN DENY SECTION
> # -------------------------------------------------------
>
> # Anything not explicitly allowed before is rejected and logged.
>
> ipchains -A input -j DENY -l
> ipchains -A forward -j DENY -l
>
> # END DENY SECTION
> # ---------------------------------------------------------
Firstly, a substantial number of your rules aren't going to work without the
the variables $INT_IF and $EXT_IF. (You have them without the $ in several
places.)
Active FTP when NAT'd requires a special kernel module. If you're using a
2.2 series kernel, then you probably just need to run "insmod ip_masq_ftp"
to get active FTP connections working properly.
Brad
- Next message: : "Re: Kerio and XP"
- Previous message: Nick: "Re: Critiquing Software Fire Walls"
- In reply to: Jose Navarro: "Newbie: Weird problem with ftp behind ipchains"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
