[lug] Re: IP masquerading and FTP hangs up on ls

bdoctor at MobileEngines.com bdoctor at MobileEngines.com
Wed Mar 15 07:45:30 MST 2000 

Here is what I use on a certain linux firewall.  IPs changed for paranoia's
sake :)  
What it does:
Allows port 22 (ssh) and port 80 to all machines, plus unique ports as needed.
Our developers have personal web servers, and those are allowed, which should
be obvious.

It is not entirely complete.  I don't set any rules to check for rogue packets,
spoofing, etc.  However, it is a good start! :)  Since we are colocated,
and the machines are many miles away, I've not gone so far as to completely
lock it down with ipchains, so consider this a good start for something more
secure.

In case you are wondering how in the world I can have multiple ports bound
to addresses (ports should be one to one, rather than one to many, typically),
well, chalk that up to linux.  It is truly excellent.

-brad

------------begin--

#!/bin/sh

[ ! -f /sbin/ipchains ] && exit 0
[ ! -f /usr/sbin/ipmasqadm ] && exit 0


INTERNAL_NET="10.10.10.0"
OUTSIDE_NET="192.168.158.0"
COMMON_SUBN="255.255.255.0"
DEST="0.0.0.0/0.0.0.0"

MOD_PATH="/lib/modules/`uname -r`/"

web00_outside="192.168.158.39"
web01_outside="192.168.158.40"
dev00_outside="192.168.158.41"

web00_inside="10.10.10.39"
web01_inside="10.10.10.40"
dev00_inside="10.10.10.41"

personal_ports="8080 10001 10002 10003 10004 10005"

case $1 in

'start')

     echo "Starting firwall functions"
        echo "Forwarding"
        /usr/sbin/ipmasqadm portfw -f
        /sbin/ipchains -F && \

        /sbin/ipchains -A forward -s ${INTERNAL_NET}/${COMMON_SUBN} -d \
        ${INTERNAL_NET}/${COMMON_SUBN} -j ACCEPT

        /sbin/ipchains -A forward -s ${OUTSIDE_NET}/${COMMON_SUBN} -d \
         ${DEST} -j ACCEPT

        /sbin/ipchains -A forward -j MASQ -s ${INTERNAL_NET}/${COMMON_SUBN} \
        -d ${DEST}

        echo "Service modules"
        insmod ${MOD_PATH}/ipv4/ip_masq_ftp.o
        insmod ${MOD_PATH}/ipv4/ip_masq_raudio.o
        insmod ${MOD_PATH}/ipv4/ip_masq_vdolive.o
        echo "Port forwarding"

#web00
        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${web00_outside} 22 -R \
        ${web00_inside} 22

        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${web00_outside} 21 -R \
        ${web00_inside} 21

        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${web00_outside} 80 -R \
        ${web00_inside} 80

#web01
        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${web01_outside} 22 -R \
        ${web01_inside} 22

        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${web01_outside} 80 -R \
        ${web01_inside} 80

#dev00
        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${dev00_outside} 22 -R \
        ${dev00_inside} 22

        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${dev00_outside} 80 -R \
        ${dev00_inside} 80

  # IBM server
        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${dev00_outside} 8008 -R \
        ${dev00_inside} 8008
        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${dev00_outside} 9000 -R \
        ${dev00_inside} 9000

  # CVS
        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${dev00_outside} 2401 -R \
        ${dev00_inside} 2401

# personal server ports, to dev00
        for i in $personal_ports ; do

        /usr/sbin/ipmasqadm portfw -a -P tcp -L ${dev00_outside} $i -R \
        ${dev00_inside} $i
        done


        echo "Done"
   ;;

'stop')
      echo "Flushing firewall, no more forwarding"
        /sbin/ipchains -F
        /usr/sbin/ipmasqadm portfw -f
       echo "Done"
   ;;
*) echo "Usage: $0 [start|stop]"
   ;;
esac
---------------


> 
> The other option is to use the ip_masq_ftp.o kernel module to
> deal with the FTP issues when masquerading. This allows both
> PORT an PASV modes to be used from behind a masquerading
> firewall.
> 
> "Ferdinand P. Schmid" wrote:
> > 
> > Anthony:
> > 
> > I posted my response also to the blug list because I recently received
> > several requests regarding the same issue.  Hopefully in the future a
> > query on the topic will also list this response.
> > 
> > The problem is caused by a peculiarity of FTP:
> > Whenever you make a standard FTP connection to a host (this is called
> > the control connection) the host will try to establish a second
> > connection back to you for transferring information (data connection).
> > Since IP Masquerading only allows outgoing connections this incoming
> > connection
> > won't succeed and you won't be able to do directory listings...
> > 
> > "Anthony N. Urwin" wrote:
> > 
> > >
> > > Hello,
> > >
> > >
> > >
> > > I saw your message about the ls command you had in a news group and
> > > you were getting invalid port command with IP masquerading? I was
> > > wondering if you ran into a solution. I am having the same problem.
> > > Thanks in advance.
> 
> -- 
> Rob Riggs
> http://www.pangalactic.org/
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list