FTP behind Masq firewall

Hello All,
I am running a Redhat 6.0, currently kernel 2.2.5-15 but getting ready to upgrade.  
1)  The system is set up to masq traffic from my internal network.
2)  Accept VPN traffic from MS Clients.
3)  Act as a firewall.
Everything works wonderfully with one exception....  FTP
Whenever anyone on the local net attempts to ftp from a browser it hangs and eventually times out.  Attempts to ftp from the command line in NT can connect, but as soon as a file is requested or an ls is issued the system hangs.  Here is an example:

ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.

And it basically hangs indefinetly at the opening data connection part.
My firewall setting in order with regards to this problem are:

ipchains -M -S 14400 30 300
/sbin/modprobe ip_masq_ftp.o
ipchains -A forward -i $INTERNET_NIC -d $INTERNET_NET -s $LOCAL_NET -j MASQ

Has anyone encountered and/or resolved this problem?
MWalterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bcwhiteCommented:
Background:  FTP, like some IRC, Quake, CuSeeMe, and others, uses bidirectional connections.  This means that the remote machine creates a new connection back to your host.  Since a masquarading firewall doesn't know how to forward incoming connections, it just gets refused.

I assume you know this as the "ip_masq_ftp.o" module you load is supposed to solve this problem.  I run Debian Linux (with the "ipmasq" package) and have never had this problem after loading that module.  The only obvious differences is that I "modprobe" after setting the MASQ rule, but that shouldn't make any difference.

Things I can think of to try...

1) "lsmod" to verify that the masq_ftp module has been loaded.
2) Start "iplogger" on your firewall and verify that a return connection
    is being attempted and refused.
3) "ipchains -L" and verify that you don't have any rules that forbid
    the return connection.

If you don't have any luck, the output of "lsmod" and "ipchains -L" would be useful.  If all else fails, you could try using FTP in "pasive mode", since that makes only client->server connections.

-- Brian
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MWalterAuthor Commented:
Thanks bcwhite,
You didn't have the exact answer to my problem, but you provided enough information for that eureka moment.  Being that this is a firewall, I had disabled TCP Syn Cookies for everything except the VPN.  This was preventing the ftp server from making any kind of connection.  Once I opened syn cookies in the dynamically assigned prot range everything started working.  Thanks again for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.