Harry,
The Linux kernel has a number of modules designed specifically to address
this problem... one of them takes care of FTP. Essentially, it creates a
connection-specific ipchains ACCEPT rule, and deletes it when that data
transfer is finished. (Apologies to clueful kernel hackers for the vast
over-simplification here.)
At some point, run the following command:
/sbin/insmod ip_masq_ftp
That'll do the trick.
Stil
On Fri, Jun 09, 2000 at 01:52:33PM +0900, Harry Behrens wrote:
>
> I have a question regarding how to set up ftp (non-PASV) and IP MASQerading:
> In order to masquerade incoming requests I normally use portfw (port
> forwarding). This of course necessitates a static mapping of
> external IP address/port to internal IP address/port.
>
> As ftp-data is also a client connection to an internal 'server' I have the
> following problem:
> My internal 'server' address changes (with each ftp connection). I therefore
> don't see how I can use MASQerading in this case.
> My internal addresses are all private (192.16.0.0/24): I cannot use routing.
> IPCHAINS is not 'stateful' so it does not allow for dynamic creation of
> rules based on an open connection from 192.168.0.0/24 to a ftp server.
>
> So: how do I enable ftp connections in an environment, where I use private
> addresses??
>
>
>
> For reference I include the relevant rules of my firewall (which passes ftp
> control but not ftp data, i.e. I can connect but do not receive any data for
> example from ls etc.)
>
>
> Chain input (policy DENY):
> target prot opt source destination ports
> ACCEPT tcp !y---- !192.168.0.0/24 anywhere ftp ->
> any
> ACCEPT tcp ------ 192.168.0.0/24 anywhere any ->
> ftp
> ACCEPT tcp ------ !192.168.0.0/24 anywhere
> ftp-data -> any
> ACCEPT tcp !y---- 192.168.0.0/24 anywhere any ->
> ftp-data
>
> Chain forward (policy MASQ):
> target prot opt source destination ports
>
> Chain output (policy DENY):
> target prot opt source destination ports
> ACCEPT tcp ------ $EXTERNAL_IP anywhere any -> ftp
> ACCEPT tcp ------ $EXTERNAL_IP anywhere any ->
> ftp-data
> ACCEPT tcp !y---- anywhere 192.168.0.0/24 ftp ->
> any
> ACCEPT tcp ------ anywhere anywhere
> ftp-data -> any
> ACCEPT tcp !y---- anywhere anywhere any ->
> ftp-data
>
>
> Dr. Harry Behrens e-mail: [EMAIL PROTECTED]
> Information Engineering phone: +81.3.5489.7792
> WintermuteTeknologies.com fax: +81.3.5489.7621
> DoCoMo:
> 090.222.71520
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Stilgherrian, Operations Manager
Taurfish Technology Services (ARBN V8636744)
http://www.taurfish.com.au/
intl+ 61 416 229 239 (in Australia 0416 229 239)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
