Re: can't ftp through IP Masq
The modules should be compiled automatically if you have elected to do Masqing in the kernel config. Just do an insmod and you should be okay: for i in /lib/modules/`uname -r`/ipv4/ip_masq_*; do insmod $i;done Cheers, Jason. --On Monday, August 14, 2000 21:34 -0500 John Reinke [EMAIL PROTECTED] wrote: I've got IP Masq compiled into the kernel, but I don't remember a selection for that in the kernel config. What was that? Also, I've tried both passive and non-passive in the clients (both mac and windows). At 19:28 2000/08/14 -0500, you wrote: I am not able to ftp from my private network, through IP Masqerading. I now have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I have set up IP Masq the same way as I did before. You need the ip_masq_ftp.o module installed, OR you need to set your FTP client up to PASV mode. I've got the same issue, I just haven't gotten the module yet. PASV works fine. HTH! Adam Toronto, Ontario, Canada -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: can't ftp through IP Masq
I did some research, and the ip_masq_ftp.o module is automatically compiled when CONFIG_IP_MASQUERADE_MOD is selected during kernel config. I already have it selected, and the file is in my modules directory. And like I mentioned previously, I've tried changing the passive settings on the ftp clients. I re-read the IP Masq howto at http://ipmasq.cjb.net and I had included everything I needed to have in the kernel. I had compiled everything into the kernel, with nothing compiled as modules - that shouldn't hurt, should it? There were a few items that I don't have which were shown at that web site. They put a lot of settings in the /etc/rc.d/rc.firewall file on a RedHat system. Where would I put that in my potato system, in case some of those settings help? Here's what my problem is (for those just joining): I have IP Masqing set up on a potato system, and everything works through it except ftp. The ftp clients on machines on the private network connect to external sites, but never are able to get a listing of the files or even retrieve files from those systems. John At 19:28 2000/08/14 -0500, you wrote: I am not able to ftp from my private network, through IP Masqerading. I now have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I have set up IP Masq the same way as I did before. You need the ip_masq_ftp.o module installed, OR you need to set your FTP client up to PASV mode. I've got the same issue, I just haven't gotten the module yet. PASV works fine. HTH! Adam Toronto, Ontario, Canada
Re: can't ftp through IP Masq
This doesn't seem to help, either. The ftp clients still just sit there, trying to get the list of files... thanks, John The modules should be compiled automatically if you have elected to do Masqing in the kernel config. Just do an insmod and you should be okay: for i in /lib/modules/`uname -r`/ipv4/ip_masq_*; do insmod $i;done Cheers, Jason.
Re: can't ftp through IP Masq
On Tue, Aug 15, 2000 at 03:37:30AM -0500, John Reinke wrote I did some research, and the ip_masq_ftp.o module is automatically compiled when CONFIG_IP_MASQUERADE_MOD is selected during kernel config. I already have it selected, and the file is in my modules directory. And like I mentioned previously, I've tried changing the passive settings on the ftp clients. I re-read the IP Masq howto at http://ipmasq.cjb.net and I had included everything I needed to have in the kernel. I had compiled everything into the kernel, with nothing compiled as modules - that shouldn't hurt, should it? There were a few items that I don't have which were shown at that web site. They put a lot of settings in the /etc/rc.d/rc.firewall file on a RedHat system. Where would I put that in my potato system, in case some of those settings help? Here's what my problem is (for those just joining): I have IP Masqing set up on a potato system, and everything works through it except ftp. The ftp clients on machines on the private network connect to external sites, but never are able to get a listing of the files or even retrieve files from those systems. So, just to check... if you go # lsmod does it list ip_masq_ftp? John P. -- [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.mdt.net.au/~john Debian Linux admin support:technical services
Re: can't ftp through IP Masq
John Reinke wrote: Here's what my problem is (for those just joining): I have IP Masqing set up on a potato system, and everything works through it except ftp. The ftp clients on machines on the private network connect to external sites, but never are able to get a listing of the files or even retrieve files from those systems. John Sounds like you're running into the problems of establishing the proper ipchains ruleset for active vs passive ftp through your firewall, and this probably isn't an issue with ipmasq per se. This has been discussed recently on the firewalls listserv. Check out http://geocrawler.com/lists/3/Security/90/0/ for a searchable archive; think you'll find some answers there. (I personally am still trying to figure this out myself, or I'd chime in with the answer myself ;-) Stan
Re: can't ftp through IP Masq
Okay, it looks like things work now. I had a two-fold problem. I'll need to know where to put things so this is all done automatically when I boot, however. The first part is that the modules weren't loading. Jason's suggestion fixed that. If I list them in /etc/modules, will they get loaded automatically? Or, do I need to put the following line somewhere? for i in /lib/modules/`uname -r`/ipv4/ip_masq_*; do insmod $i;done The second part is that I needed to increase the timeout values for ipchains. Where should I put the following line, so it is executed automatically? /sbin/ipchains -M -S 7200 10 160 I've put another ipchains statement within the /etc/init.d/networking file, but is there a better place to put it with the potato network setup? Thanks for the help, John On Tue, Aug 15, 2000 at 03:37:30AM -0500, John Reinke wrote So, just to check... if you go # lsmod does it list ip_masq_ftp? John P. Here's the output: [EMAIL PROTECTED]:~$ /sbin/lsmod Module Size Used by ip_masq_vdolive 1368 0 (unused) ip_masq_user2516 0 (unused) ip_masq_raudio 2936 0 (unused) ip_masq_quake 1332 0 (unused) ip_masq_irc 1560 0 (unused) ip_masq_ftp 2456 0 ip_masq_cuseeme 1144 0 (unused)
Re: can't ftp through IP Masq
On Tue, 15 Aug 2000, Stan Kaufman wrote: John Reinke wrote: Here's what my problem is (for those just joining): I have IP Masqing set up on a potato system, and everything works through it except ftp. The ftp clients on machines on the private network connect to external sites, but never are able to get a listing of the files or even retrieve files from those systems. John Sounds like you're running into the problems of establishing the proper ipchains ruleset for active vs passive ftp through your firewall, and this probably isn't an issue with ipmasq per se. I have the same problem, and just now discovered that I didn't config my 2.2.14 kernel with CONFIG_IP_MASQUERADE_MOD. So, I just set this flag and re-compiled the kernel, only to find that ip_masq_app.c was still not compiled because, I think, this in file net/ipv4/.depend: $(wildcard /usr/src/linux/include/config/ip/masq/debug.h) ip_masq_ftp.o: \ That debug.h file doesn't exist. I've just installed and am about to build the potato kernel-source-2.2.17_2.2.17pre6-1.deb package. Anybody have any comments about this? ...RickM...
Re: can't ftp through IP Masq
I used 2.2.17pre6, and it handled compiling the modules for CONFIG_IP_MASQUERADE_MOD. Also, it sounds like there have been some security patches and things, so it is recommended to at least use 2.2.16 or newer. IP Masq howto I read (URL was in a previous message), strongly suggested 2.2.16 or newer as well. John On Tue, 15 Aug 2000, Stan Kaufman wrote: John Reinke wrote: Here's what my problem is (for those just joining): I have IP Masqing set up on a potato system, and everything works through it except ftp. The ftp clients on machines on the private network connect to external sites, but never are able to get a listing of the files or even retrieve files from those systems. John Sounds like you're running into the problems of establishing the proper ipchains ruleset for active vs passive ftp through your firewall, and this probably isn't an issue with ipmasq per se. I have the same problem, and just now discovered that I didn't config my 2.2.14 kernel with CONFIG_IP_MASQUERADE_MOD. So, I just set this flag and re-compiled the kernel, only to find that ip_masq_app.c was still not compiled because, I think, this in file net/ipv4/.depend: $(wildcard /usr/src/linux/include/config/ip/masq/debug.h) ip_masq_ftp.o: \ That debug.h file doesn't exist. I've just installed and am about to build the potato kernel-source-2.2.17_2.2.17pre6-1.deb package. Anybody have any comments about this? ...RickM...
Re: can't ftp through IP Masq
On Tue, 15 Aug 2000, John Reinke wrote: I used 2.2.17pre6, and it handled compiling the modules for CONFIG_IP_MASQUERADE_MOD. Also, it sounds like there have been some security patches and things, so it is recommended to at least use 2.2.16 or newer. IP Masq howto I read (URL was in a previous message), strongly suggested 2.2.16 or newer as well. My compile just finished for 2.2.17pre6, and it still didn't compile ip_masq_ftp: ld -m elf_i386 -r -o ipv4.o ip_masq.o ip_masq_app.o ip_masq_mod.o utils.o route.o proc.o timer.o protocol.o ip_input.o ip_fragment.o ip_forward.o ip_options.o ip_output.o ip_sockglue.o tcp.o tcp_input.o tcp_output.o tcp_timer.o tcp_ipv4.o raw.o udp.o arp.o icmp.o devinet.o af_inet.o igmp.o sysctl_net_ipv4.o fib_frontend.o fib_semantics.o fib_hash.o ip_fw.o make[4]: Leaving directory `/usr/src/kernel-source-2.2.17/net/ipv4' What am I missing? I build the kernel with: make-kpkg --revision=custom.1.0 kernel_image Here is the net sections of my .config file: # # Networking options # CONFIG_PACKET=y CONFIG_NETLINK=y # CONFIG_RTNETLINK is not set # CONFIG_NETLINK_DEV is not set CONFIG_FIREWALL=y # CONFIG_FILTER is not set CONFIG_UNIX=y CONFIG_INET=y # CONFIG_IP_MULTICAST is not set # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_NETLINK is not set # CONFIG_IP_TRANSPARENT_PROXY is not set CONFIG_IP_MASQUERADE=y # # Protocol-specific masquerading support will be built as modules. # CONFIG_IP_MASQUERADE_ICMP=y # # Protocol-specific masquerading support will be built as modules. # CONFIG_IP_MASQUERADE_MOD=y # CONFIG_IP_MASQUERADE_IPAUTOFW is not set # CONFIG_IP_MASQUERADE_IPPORTFW is not set # CONFIG_IP_MASQUERADE_MFW is not set # CONFIG_IP_ROUTER is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_ALIAS is not set # CONFIG_SYN_COOKIES is not set # # (it is safe to leave these untouched) # # CONFIG_INET_RARP is not set # CONFIG_SKB_LARGE is not set # CONFIG_IPV6 is not set # # # # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_BRIDGE is not set # CONFIG_LLC is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set # CONFIG_CPU_IS_SLOW is not set ...RickM...
Re: can't ftp through IP Masq - IP Masq in kernel
I'm not sure about the compile problems, but there are some items you'll need to include in the kernel that you don't have selected below. Look at this howto, and it goes through all the items you'll want to enable while configuring the kernel. http://www.e-infomax.com/ipmasq/howto/ipmasq-HOWTO-1.90c.html It is a link from this helpful site: http://ipmasq.cjb.net/ Good luck! On Tue, 15 Aug 2000, Rick Macdonald wrote: On Tue, 15 Aug 2000, John Reinke wrote: I used 2.2.17pre6, and it handled compiling the modules for CONFIG_IP_MASQUERADE_MOD. Also, it sounds like there have been some security patches and things, so it is recommended to at least use 2.2.16 or newer. IP Masq howto I read (URL was in a previous message), strongly suggested 2.2.16 or newer as well. My compile just finished for 2.2.17pre6, and it still didn't compile ip_masq_ftp: ld -m elf_i386 -r -o ipv4.o ip_masq.o ip_masq_app.o ip_masq_mod.o utils.o route.o proc.o timer.o protocol.o ip_input.o ip_fragment.o ip_forward.o ip_options.o ip_output.o ip_sockglue.o tcp.o tcp_input.o tcp_output.o tcp_timer.o tcp_ipv4.o raw.o udp.o arp.o icmp.o devinet.o af_inet.o igmp.o sysctl_net_ipv4.o fib_frontend.o fib_semantics.o fib_hash.o ip_fw.o make[4]: Leaving directory `/usr/src/kernel-source-2.2.17/net/ipv4' What am I missing? I build the kernel with: make-kpkg --revision=custom.1.0 kernel_image Here is the net sections of my .config file: # # Networking options # CONFIG_PACKET=y CONFIG_NETLINK=y # CONFIG_RTNETLINK is not set # CONFIG_NETLINK_DEV is not set CONFIG_FIREWALL=y # CONFIG_FILTER is not set CONFIG_UNIX=y CONFIG_INET=y # CONFIG_IP_MULTICAST is not set # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_NETLINK is not set # CONFIG_IP_TRANSPARENT_PROXY is not set CONFIG_IP_MASQUERADE=y # # Protocol-specific masquerading support will be built as modules. # CONFIG_IP_MASQUERADE_ICMP=y # # Protocol-specific masquerading support will be built as modules. # CONFIG_IP_MASQUERADE_MOD=y # CONFIG_IP_MASQUERADE_IPAUTOFW is not set # CONFIG_IP_MASQUERADE_IPPORTFW is not set # CONFIG_IP_MASQUERADE_MFW is not set # CONFIG_IP_ROUTER is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_ALIAS is not set # CONFIG_SYN_COOKIES is not set # # (it is safe to leave these untouched) # # CONFIG_INET_RARP is not set # CONFIG_SKB_LARGE is not set # CONFIG_IPV6 is not set # # # # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_BRIDGE is not set # CONFIG_LLC is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set # CONFIG_CPU_IS_SLOW is not set ...RickM...
Re: can't ftp through IP Masq
On Tue, Aug 15, 2000 at 08:08:15AM -0700, Stan Kaufman wrote:
This has been discussed recently on the firewalls listserv. Check out
http://geocrawler.com/lists/3/Security/90/0/ for a searchable archive;
think you'll find some answers there. (I personally am still trying to
figure this out myself, or I'd chime in with the answer myself ;-)
For passive FTP, I use the following ipchains ruleset snippet:
snippet
#!/bin/sh
# Definitions
ipchains=$(which ipchains)
# Enable IP forwarding
echo 1 /proc/sys/net/ipv4/ip_forward
# Default policies for all chains
${ipchains} -P input DENY
${ipchains} -P forward DENY
${ipchains} -P output DENY
# Flush rules
${ipchains} --flush input
${ipchains} --flush forward
${ipchains} --flush output
# Allow returning ftp packets to enter
# Passive FTP is the policy
${ipchains} -A input -p tcp -s 0.0.0.0/0 21 -i ppp0 -j ACCEPT ! -y
${ipchains} -A input -p tcp -s 0.0.0.0/0 --sport 1024:65535 \
--dport 1024:65535 -i ppp0 -j ACCEPT ! -y
# Allow leaving ftp packets to leave
# Passive ftp transfers require this (passive FTP is the policy)
${ipchains} -A output -p tcp -d 0.0.0.0/0 21 -i ppp0 -j ACCEPT
${ipchains} -A output -p tcp -d 0.0.0.0/0 1024:65535 -i ppp0 -j ACCEPT
/snippet
Is this the correct way of doing this? Anything better? It works, that's
for sure.
Suggestions welcomed. :)
HTH
Sven
--
[Microsoft] ... guarantees 99.8% NT uptime for certain hard-/software.
That's exactly the 3 minutes daily that my NT server needs to reboot.
-- ZDnet editorial
Re: can't ftp through IP Masq
I only had one ipchains rule to turn it on, and added another to prevent
timeout on secondary ftp connections, but I don't really understand it all
yet. I might try the script below, though. What do you name it, and where
do you put it so it gets read?
(Nice footer, BTW.)
John
On Tue, 15 Aug 2000, Sven Burgener wrote:
For passive FTP, I use the following ipchains ruleset snippet:
snippet
#!/bin/sh
# Definitions
ipchains=$(which ipchains)
# Enable IP forwarding
echo 1 /proc/sys/net/ipv4/ip_forward
# Default policies for all chains
${ipchains} -P input DENY
${ipchains} -P forward DENY
${ipchains} -P output DENY
# Flush rules
${ipchains} --flush input
${ipchains} --flush forward
${ipchains} --flush output
# Allow returning ftp packets to enter
# Passive FTP is the policy
${ipchains} -A input -p tcp -s 0.0.0.0/0 21 -i ppp0 -j ACCEPT ! -y
${ipchains} -A input -p tcp -s 0.0.0.0/0 --sport 1024:65535 \
--dport 1024:65535 -i ppp0 -j ACCEPT ! -y
# Allow leaving ftp packets to leave
# Passive ftp transfers require this (passive FTP is the policy)
${ipchains} -A output -p tcp -d 0.0.0.0/0 21 -i ppp0 -j ACCEPT
${ipchains} -A output -p tcp -d 0.0.0.0/0 1024:65535 -i ppp0 -j ACCEPT
/snippet
Is this the correct way of doing this? Anything better? It works, that's
for sure.
Suggestions welcomed. :)
HTH
Sven
--
[Microsoft] ... guarantees 99.8% NT uptime for certain hard-/software.
That's exactly the 3 minutes daily that my NT server needs to reboot.
-- ZDnet editorial
Re: can't ftp through IP Masq
Hi John On Tue, Aug 15, 2000 at 02:48:12PM -0500, John Reinke wrote: I only had one ipchains rule to turn it on, and added another to prevent timeout on secondary ftp connections, but I don't really understand it all yet. I might try the script below, though. What do you name it, and where do you put it so it gets read? As the tags show, its a snippet of a larger script with more rules for allowing other services thru the box. I have set things up this way: # ls -l /etc/init.d/fire.sh -rwxr-xr-x1 root root 1321 Aug 10 19:51 /etc/init.d/fire.sh /etc/init.d/fire.sh calls the following scripts according to $1 it is passed. (start or stop...) # ls -l /etc/ppp/firewall*.sh -rwxr-xr--1 root root 278 Aug 9 21:50 /etc/ppp/firewall_off.sh -rwxr-xr--1 root root 5224 Aug 15 21:25 /etc/ppp/firewall_on.sh The snippet I posted was from firewall_on.sh. I ran update-rc.d for creating appropriate SysV links. # zless /etc/init.d/README /usr/doc/sysvinit/README.runlevels.gz for more infos. (Nice footer, BTW.) :) Sven -- I can't be wrong, my modem's got error-correction.
can't ftp through IP Masq
I am not able to ftp from my private network, through IP Masqerading. I now have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I have set up IP Masq the same way as I did before. Before, I could use ftp clients on any machine in my local network to access anything outside my network. I can still connect to the same machines, but now I can't get the file list from the remote ftp server or change directories. It just sits there trying, but never gets the list. Changing the passive setting for the ftp clients doesn't help. Also, sometimes when it is not passive, I get a port error message from the server. I don't really understand how to set up IP Masq, so someone had given me an ipchains command, and it seems to still work for the most part. All other TCP/IP applications I use seem to be fine through the IP Masq. When going from slink to potato, I took that ipchains command from my /etc/init.d/network file and put it into the /etc/init.d/networking file, right after ifup -a, and that worked. The command is: /sbin/ipchains -A forward -s 172.16.1.0/24 -j MASQ 172.16.1.0 is my local network. I can ftp from my Linux box, just not from any machine on the private network. Thanks, John
Re: can't ftp through IP Masq
At 19:28 2000/08/14 -0500, you wrote: I am not able to ftp from my private network, through IP Masqerading. I now have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I have set up IP Masq the same way as I did before. You need the ip_masq_ftp.o module installed, OR you need to set your FTP client up to PASV mode. I've got the same issue, I just haven't gotten the module yet. PASV works fine. HTH! Adam Toronto, Ontario, Canada
Re: can't ftp through IP Masq
I've got IP Masq compiled into the kernel, but I don't remember a selection for that in the kernel config. What was that? Also, I've tried both passive and non-passive in the clients (both mac and windows). At 19:28 2000/08/14 -0500, you wrote: I am not able to ftp from my private network, through IP Masqerading. I now have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I have set up IP Masq the same way as I did before. You need the ip_masq_ftp.o module installed, OR you need to set your FTP client up to PASV mode. I've got the same issue, I just haven't gotten the module yet. PASV works fine. HTH! Adam Toronto, Ontario, Canada
