[TAG] RE: QUESTION REGARDING IPCHAINS FTP
ben at callahans.org
Sat May 15 22:36:21 MSD 2004
On Tue, May 11, 2004 at 09:56:27AM +0100, Alice So wrote:
Hi, Alice -
> Dear TAG,
> I have a question regarding the configuring of IPChains for FTP and
> would greatly appreciate if you can help.
> I am experiencing a problem similar to that described in
> http://linuxgazette.net/issue76/tag/2.html, and would like some
> further clarification. the difference is I am not the administrator of
> the ipchains firewall. The firewall sits in front of the ftp server,
> and I am a client trying to establish an ftp session. I also sit
> behind a firewall which only allows active ftp through src ports 21
> and 20.
> I am writing as I would like to lend a hand to the administrator of
> the firewall, who seems to be having some difficulties
> In the analysis on my (the client) side, using active ftp I am having
> no problem logging in and performing any activities over the command
> port 21. However when I try to perform an activity which requires the
> establishing of the data port (dir/ls, get etc),
> my firewall will block the ftp server's responses because it does not
> see data port 20, but some random port > 1024.
> As the ftp server logs show it using the ftp data port 20, the
> suspicion is that ipchains is doing some sort of
> translating/masquerading for the ftp data port, unfortunately the
> administrator of the firewall cannot see this in the firewall logs.
> I would greatly appreciate if you can let me know how to confirm this
> behaviour on the firewall.
The first thing that comes to my mind is to take a look at the firewall
rules. I don't have "ipchains" installed, so I can't confirm any of what
comes below, but
will list the rules (you'll need to read "man ipchains" carefully to
understand them.) There's no port rewriting done for FTP by a simple
firewall configuration - or even if you set up masquerading, which
should just rewrite IPs.
Next, I'd take a loop at the actual packets on the network with
"tcpdump" and see what's happening on the different interfaces. If
something _is_ rewriting the ports, you'll know it right then. Are you
sure that there's no proxy running somewhere? That's generally what I
associate with port rewriting.
> The aim is for the firewall to not
> masquerade the data port, and so would the installation of the
> ip_masq_ftp help resolve this issue?
> insmod ip_masq_ftp
If I recall correctly, the idea behind this module is simply to enable
NAT for FTP. It shouldn't affect anything with regard to ports.
* Ben Okopnik * okopnik.freeshell.org * Editor-in-Chief, Linux Gazette *
-*- See the Linux Gazette in its new home: <http://linuxgazette.net> -*-
More information about the TAG