Re: IPChains

Fri, 15 Sep 2000 09:59:36 -0700 

On Fri, 15 Sep 2000, Tom Laurie wrote:
> 1.  Set up IPChains so that I can FTP to my apache directory from outside
> the network?

  You could do this, but I would highly recommend against it.  FTP is insecure
by nature.  You should use SSH instead.  SSH is really, really easy to setup
and use.  Check out http://www.openssh.com for the goods.  On Windoze boxen, I
recommend SecureCRT and SecureFX (commercial software) from Van Dyke Software
(http://www.vandyke.com).

  To open up a box for SSH access, place this rule before any DENY/REJECT
rules in your input chain:

# open up SSH access.  TCP port 22 is SSH.
ipchains -A input -i $WAN_IF -p tcp --dport 22 -j ACCEPT

  To open up a box for passive mode FTP access, place these rules before any
DENY/REJECT rules in your input chain (again, I recommend that you do *NOT* do
this):

# open up FTP access.
# TCP port 21 is the FTP control channel, 20 is the data channel.
# DO NOT USE THIS, it is insecure
ipchains -A input -i $WAN_IF -p tcp --dport 21 -j ACCEPT
ipchains -A input -i $WAN_IF -p tcp --dport 20 -j ACCEPT

> 2.  Allow e-mail from outside the network to be routed to a Novell Groupwise
> pop server inside the network?

  You need to use something called "port forwarding" for this to work.  You
need to have support for IPPORTFW compiled into your kernel, and you need a
userland utility called "ipmasqadm" to control it.  Whether you already have
this or not depends on your distribution and release thereof.

  Once you've got all that, you can use something like this:

# forward TCP port 25 (SMTP) from the WAN interface's address to the internal
# mail server.
ipmasqadm portfw -a -P tcp -L $WAN_ADDR 25 -R $MAIL_SERVER_LAN_ADDR 25

  Check out this section of the IP Masquerade HOWTO for more information:

http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html#Forwarders

  Hope this helps!

-- 
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18   Fax: (978)499-7839



**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************

Reply via email to