[lug] Trouble with FTP through masq firewall

Mark (Andy) Jolley majolley at qwest.net
Mon Apr 2 22:46:14 MDT 2001 

I'm having trouble getting LS to work through my ip masq firewall.  Right
now it's wide open permitting all nets to talk to all nets with
bi-directional set, so this should work (using the little GUI firewall
config, I've also played with the output file a bit).

I've tried stopping IP chains and just using the firewall box to ftp to
various places, he can connect, but it looks like everything is getting
forced to passive automatically on the server, so I don't know what's going
on.

My guess is that the port 20 data connection from the FTP server on the
other end is getting killed.  I've searched the stuff here via the web site
and found a couple of answers to my issue, but I'm not sure how to
implement.

One of the responses to a similar problem was to make sure ip_masq_ftp.o was
included in the Kernel.  Now I'm a newbie and never kernel hacked, so how
can I see if this is in the kernel?  And if it isn't, how do I add it? I'm
on Red Hat 7.0's professional server default Kernel with pretty much
everything installed (at least stated by the install process).  I've tried
the RedHat GUI KernelConfig, but as no surprise, it doesn't get down to that
level of granularity.

One of the other suggestions was to always use passive mode.  Well this is a
box set to share my dialup connection with my wife who does not know or
frankly really care what passive FTP is, so I'm looking for a fix on the
firewall rather than relying on client knowledge.

Here's the code from the ipchains file that the firewall config gui spits
out. My understanding of this is that right now I'm VERY VERY wide open.
But I'm trying to eliminate firewall rules as my issue.  I understand the
concepts of firewall rules (I manage a couple at work), but even if I try to
setup a rule to allow communication inbound on port 20 for the data
connection, no luck.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
:icmp -
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 1 -j icmp
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT
-A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ
-A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ
-A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
-A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
-A icmp -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT

Thanks
Andy Jolley
majolley at qwest.net

More information about the LUG mailing list