[leaf-user] Active ftp problems with Bering_1.0-rc3

Alan Silvester Sun, 23 Jun 2002 23:54:02 -0700

Hi,

I've got my Bering firewall box up and running (P133, 32 MB RAM) and it
is masquerading my www and passive ftp connections fine.  However, when
I try to use active ftp, I think somehow I'm not letting the data
connection back in.  This is what's happening (let me know if I've
forgot to include something):


Network setup:

                  Other computers
                         |
       Me                |                     Firewall
 ---------------       -----       -------------------------------     I
| 192.168.1.100 |-----| HUB |-----| 192.168.1.254 | | 24.81.30.29 |--> S
 ---------------       -----       -------------------------------     P
      eth0               |              eth1              eth0
                         |                            (dynamic IP)
                Some more computers

lsmod:

Module            Pages    Used by
ip_nat_irc        2384     0 (unused)
ip_nat_ftp        2960     0 (unused)
ip_conntrack_irc  3056     1
ip_conntrack_ftp  3824     2
smc-ultra         4268     1
ne                5988     1
8390              5780     0 [smc-ultra ne]

FTP session:

[mascdman@omega mascdman]$ lftp oksun2.okanagan.bc.ca
lftp oksun2.okanagan.bc.ca:~> debug 9
lftp oksun2.okanagan.bc.ca:~> user aksilves
Password: xxxxxxx
lftp oksun2.okanagan.bc.ca:~> ls
---- Connecting to oksun2.okanagan.bc.ca (192.31.180.2) port 21
<--- 220 oksun2 FTP server (OUC/CIS on Sun Jun 23 23:09:58 PDT 2002)
ready.
---> AUTH TLS
<--- 500 'AUTH TLS': command not understood
---> USER aksilves
<--- 331 Password required for aksilves.
---> PASS XXXX
<--- 230 User aksilves logged in.
---> PWD
<--- 257 "/home/oksun2/student/aksilves" is current directory
---> PASV
<--- 227 Entering Passive Mode (192,31,180,2,224,166)
---- Connecting data socket to (192.31.180.2) port 57510
---> LIST
<--- 150 ASCII data connection for /bin/ls (24.81.30.29,1437) (0 bytes).
<--- 226 ASCII Transfer complete.
total 3280

<skipping directory listing>

---- Closing data socket
lftp oksun2.okanagan.bc.ca:~> set ftp:passive-mode off
lftp oksun2.okanagan.bc.ca:~> ls
---> PORT 192,168,1,100,5,122
<--- 200 PORT command successful.
---> LIST
`ls' at 0 [Waiting for data connection...]

And it will sit there... On some ftp sites, I'll eventually get: 

<--- 426 Connection closed; transfer aborted.

On the firewall, this line is added to /proc/net/ip_conntrack, so I
assume it's tracking the ftp connection?

tcp      6 109 SYN_SENT src=192.31.180.2 dst=24.81.30.29 sport=20
dport=1402 [UNREPLIED] src=192.168.1.100 dst=192.31.180.2 sport=1402
dport=20 use=1

Iptables rule set:

# Default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Send inbound ident/auth to my oidentd server
iptables -t nat -A PREROUTING -p tcp --syn --dport auth -j DNAT --to
192.168.1.100
# Masq stuff
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT

# Allow ssh to the firewall from the LAN
iptables -A INPUT -i eth1 -p tcp --dport ssh -j ACCEPT
# Allow DHCP traffic from the LAN
iptables -A INPUT -i eth1 -p tcp --dport bootps -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport bootpc -j ACCEPT
# Allow related & established traffic
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow related & established traffic
iptables -A OUTPUT -m state -state RELATED,ESTABLISHED -j ACCEPT

# Allow related & established traffic
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow new outbound connections
iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT
# Allow inbound ident/auth traffic
iptables -A FORWARD -i eth0 -p tcp --syn --dport auth -j ACCEPT

What am I missing?  Any inbound tcp connections for active ftp should be
handled by the "-A FORWARD -m state --state RELATED,ESTABLISHED -j
ACCEPT" rule, so I don't need to explicitly allow them, right? 

On a somewhat related note, a few of the servers I need to connect to
are running on unusual ports (port 777, iirc).  Somewhere, someone
mentioned that ip_conntrack_ftp won't track these connections unless
/etc/modules is changed from:

    ip_conntrack_ftp
    ip_nat_ftp

to:

    ip_conntrack_ftp ports=21,777
    ip_nat_ftp ports=21,777

Is this true and are these changes right?
(Yes this change *has* been made to my /etc/modules and no, active ftp
did not work *before* this change was made)

Thanks in advance,
Alan Silvester (mascdman _at_ shaw _dot_ ca)



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Active ftp problems with Bering_1.0-rc3

Reply via email to