[TAG] RE: QUESTION REGARDING IPCHAINS FTP

Ben Okopnik ben at callahans.org
Sat May 15 22:36:21 MSD 2004 

On Tue, May 11, 2004 at 09:56:27AM +0100, Alice So wrote:

Hi, Alice -

> Dear TAG,
> 
> I have a question regarding the configuring of IPChains for FTP and 
> would greatly appreciate if you can help.
> 
> I am experiencing a problem similar to that described in 
> http://linuxgazette.net/issue76/tag/2.html, and would like some 
> further clarification. the difference is I am not the administrator of
> the ipchains firewall. The firewall sits in front of the ftp server, 
> and I am a client trying to establish an ftp session. I also sit 
> behind a firewall which only allows active ftp through src ports 21 
> and 20.
> 
> I am writing as I would like to lend a hand to the administrator of 
> the firewall, who seems to be having some difficulties 
> troubleshooting.
> 
> In the analysis on my (the client) side, using active ftp I am having 
> no problem logging in and performing any activities over the command 
> port 21. However when I try to perform an activity which requires the
> establishing of the data port (dir/ls, get etc),
> my firewall will block the ftp server's responses because it does not
> see data port 20, but some random port > 1024.
> 
> As the ftp server logs show it using the ftp data port 20, the 
> suspicion is that ipchains is doing some sort of 
> translating/masquerading for the ftp data port, unfortunately the 
> administrator of the firewall cannot see this in the firewall logs.
> 
> I would greatly appreciate if you can let me know how to confirm this 
> behaviour on the firewall. 

The first thing that comes to my mind is to take a look at the firewall
rules. I don't have "ipchains" installed, so I can't confirm any of what
comes below, but

ipchains -L

will list the rules (you'll need to read "man ipchains" carefully to
understand them.) There's no port rewriting done for FTP by a simple
firewall configuration - or even if you set up masquerading, which
should just rewrite IPs.

Next, I'd take a loop at the actual packets on the network with
"tcpdump" and see what's happening on the different interfaces. If
something _is_ rewriting the ports, you'll know it right then. Are you
sure that there's no proxy running somewhere? That's generally what I
associate with port rewriting.

> The aim is for the firewall to not 
> masquerade the data port, and so would the installation of the 
> ip_masq_ftp help resolve this issue?
> 	insmod ip_masq_ftp

If I recall correctly, the idea behind this module is simply to enable
NAT for FTP. It shouldn't affect anything with regard to ports. 


* Ben Okopnik * okopnik.freeshell.org * Editor-in-Chief, Linux Gazette *
-*- See the Linux Gazette in its new home: <http://linuxgazette.net> -*-

More information about the TAG mailing list