Solved

FTP not working from internal network (ftp_masquerading ???)

Posted on 2001-06-21
24
490 Views
Last Modified: 2007-12-19
I have an internal network (192.168.1.1) connected to the web via my Linux Internet Gateway Machine(RedHat 7.1).

I have successfully enable IP_Masq to ensure that people from within the network can surf the net. However they are unable to use FTP. How can I FIX this?

Please note I have attempted to re-compile the kernel but there are absolutely no options for masquerading or ftp. I assume it was built in to the Kernel.

The only modules I have regarding ftp are the following
/lib/modules/2.4.2-2/kernel/net/ipv4/ipvs/ip_vs_ftp.o

/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o

/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_ftp.o

If these mean any thing to you and is necassary for FTP to work how do I implement them...
0
Comment
Question by:MCI_Consultants
  • 6
  • 6
  • 4
  • +6
24 Comments
 
LVL 1

Expert Comment

by:Nick
ID: 6214046
I presume you are running a firewall of sorts (IPCHAINS/TABLES?):

Try using the FTP clients in 'passive' mode.

Nick
0
 

Author Comment

by:MCI_Consultants
ID: 6214792
I tried that but the particular site I am trying to connect to is an NT Machine and for some or other reason.

I cannot connect to it using passive mode.
0
 

Expert Comment

by:milkfilk
ID: 6215052
do this: $ find /|grep ip_masq_ftp|grep modules

see if you have ip_masq_ftp.o

if you do, cd to the directory that it's in and type insmod ip_masq_ftp.  then type lsmod to make sure it's loaded.

now try your client's ftp program.  If it doesn't work use passive mode on your clients.
0
 

Author Comment

by:MCI_Consultants
ID: 6217643
Everywhere I have researched speaks about the module ip_masq_ftp.

I installed EVERYTHING(2.7gigs) for Linux RedHat 7.1.

But there is NO trace of this module.
I have run out of ideas ....
0
 

Author Comment

by:MCI_Consultants
ID: 6217651
Sorry, but RedHat 7.1 does not have ANY trace of this module. I have scourged the www for help on this matter but nothing .... I am thinking of going back to version 6.2 because ftp is a vital need for our interanl employees.
0
 
LVL 1

Expert Comment

by:Nick
ID: 6218118
Is it just the ONE NT machine you can't ftp to?  Or any external machine?

Don't go backwards... I have FTP working OK with no trouble in RH7.1, so it is an easy fix somewhere.

What firewall rules are you using?  What user are you FTP'ing as? Explain in more detail.

Nick
0
 

Author Comment

by:MCI_Consultants
ID: 6218331
The problem I has affected me on 6 different ftp sites. (I have not tried more than that).

I used the following firewall rule:-
ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ

I am ftping in as anonymous.

Further analysis revealed the following:

We only have Windows Clients, so I use the ftp command in my dos_prompt window and found out the following.

I can connect to the the ftp site.
I can run PWD.
I can Change Directory.

However if I do a listing it gives me the following error:-
500 Illegal Port Command

If I try and get a file it tells me :-
425 Can't build data connection: Connection refused.

When using Internet Explorer I get this messages:-
200 : Type set to A
500 Illegal PORT Command

What the ...

I have just tried it using Netscape 4.6 and Netscape 6 and
it works!!!! Damn, perhaps it is a Microsoft problem.

Any ideas on how to solve it.
0
 
LVL 1

Expert Comment

by:Nick
ID: 6218482
OK, so FTP _is_ working.  I have seen this port 500 message before.

Try a listing using this:

ftp>ls -ls

or

ftp>ls -lsa

That _should_ work and get you up and going.

I don't know why that port 500 message comes up.  I did fix it sometime back... I will think hard and get back to you.

Nick
0
 
LVL 1

Expert Comment

by:Nick
ID: 6218564
OK, it's all coming back to me now :-)

"NOTE: If your system is connected to the Internet through a firewall, the instructions as provided above may not work. This is because the firewall may interfere with the normal operation of the FTP program. If this occurs, you cannot use the MS-DOS FTP program as provided by Microsoft in Windows 95 and 98. You will need to obtain an FTP client that can handle "passive" transfers. Browsers such as Netscape and Internet Explorer can be used in these situations."

So, 'passive' _will_ fix the problem as I said at the beginning, but MSDOS FTP cannot do 'passive'!

Try the ls -ls/ls -lsa anyway... I swear thats how I down it (nothing here to test with).

Nick
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6220147
Netscape like to try passive mode if FTP has problems - MickeySoft products on the other hand seem to refuse to do this...

milkfilk was on the right track...

You need recompile your kernel and enable all masquerading options, which should eventually generate the ip_masq_ftp module, which when installed (via either kerneld or 'insmod ip_masq_ftp.o') makes your internal clients work fine, regardless of whether or not they are using passive mode.  

IMHO, this is the best solution because you don't have to muck around with each and every client config making sure it is set for passive mode...

-Jon

0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6226096
FTP uses two ports. One for communication between client and server and the other for the transfer of files. My guess is that your ipchains rules are DENYing connections on the ftpdata port ( number 20)

Try a rule like this
ipchains -A input -i eth0 -dport 20 -j ACCEPT

I am assuming that eth0 is the interface that connects you to the Internet
0
 

Author Comment

by:MCI_Consultants
ID: 6226834
<<NICK>>
ls -lsa/ls -la does not work. When I try it I get connection closed by remote host.

<<The--Captain>>
There are NO options mentioning masquerading in the 2.4.2-5 kernel. Although I did go through the HOW-TO-IP-Masquerading and compiled the kernel with the options that I could find. (again nothing mentioning masquerading). However it did not work and it also introduced some other problems.

<<MFCRich>>
I tried your rule but I can still only FTP Passively.

What really confuses me is that there are no Masquerading options in the Kernel. Everywhere I look they mention the following options which are NOT in the menus for Kernels 2.4.x.

* Network firewalls (CONFIG_FIREWALL)

* IP: firewalling (CONFIG_IP_FIREWALL)IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK)

* IP: transparent proxy support (CONFIG_IP_TRANSPARENT_PROXY)

* IP: masquerading (CONFIG_IP_MASQUERADE) [Y/n/?]

* IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP)

* IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD)

* IP: ipautofw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW)

* IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW)

* IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW)

* IP: optimize as router not host (CONFIG_IP_ROUTER)

* IP: Allow large windows (not recommended if <16Mb of memory) * (CONFIG_SKB_LARGE)

I have none of these options.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 16

Expert Comment

by:The--Captain
ID: 6227252
MFCRich is forgetting about the necessary translation that IP masquerading (and specifically the ftp_masq module) performs (a common novice error).  I'm not at all surprised that his suggestion did not work.  To his credit, he is correct about the dual-connection nature of FTP - he just forgot that even if your firewall/router allows inbound data on port 20, it still will have no idea what to do with the data without ftp_masq or something similar (passive mode eliminates the connect-back on port 20, which is why that works).

Also, can your users deal with using a proxy for FTP?  While MickeySoft products may be reluctant to use passive mode, you can certainly tell them to use a proxy (i.e. socks, etc) with no problem.  If so, I'd recommend socks - free, easy to configure, and just about everything supports it...

The 2.4 kernel seems to have a lot of nice features, but is still a bit too immature for my tastes (which explains my lack of familiarity with wrt specific features) - assuming you don't specifically require any of the new functionality of 2.4, might I suggest the latest 2.2 release instead?

In any case, I will explore the 2.4 src a bit more and see what they are calling the ftp masq feature these days, since I can't imagine that they'd have nixed something as nice as the ftp_masq module...  

BTW, where did  you get your 2.4 source?

Cheers,
-Jon
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6233367
RH uses xinetd instead of inetd. Have you configured it?
In '/etc/xinetd.d' you should find a file called 'ftp' (I think). Edit it so that the line that says "DISABLED" reads "ENABLED". Hope I recalled this correctly cause I'm not at my Linux box.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6235968
MFCRich - a good idea, if the problem was an inability to connect to his own ftp server...

Unfortunately, the problem is that none of the users can connect to arbitrary remote FTP servers without using passive mode.

I think we should wait to hear some feedback from MCI Consultants about his/her luck with the above suggestions (particularly mine <grin>), and proceed from there.

Agreed?

-Jon
0
 

Author Comment

by:MCI_Consultants
ID: 6237335
The orginal site I got my Kernel mods has closed down but I did a bit of surfing and found this address.

ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils/v2.4

What the ... (again!!!)

My Microsoft browser can see this site's contents???
I cannot understand that. (Passive is disabled)
So I tried ftp.sun.com again but still I cannot see their contents. This problem could be related to how operating systems deal with the FTP Protocol.

I have not tried the proxy idea yet but I will do so, soon!
0
 

Expert Comment

by:Cironian
ID: 6238538
The following makes active FTP work on my stock 2.4.5 kernel; not sure if the one that came with RH7.1 had the same option, else just upgrade it:

For menuconfig, in the "Networking Options"/"IP: Netfilter Configuration" submenu, _just enable all the options_, but especially CONFIG_IP_NF_FTP.

Then when setting up iptables, use something like...

# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

...before you reach your fallthrough case (DROP I guess) of course. Your internal net device needs to accept all packets of course, but judging from your description, that seems to be the case already.

The "RELATED" state flag is the important one that causes the kernel to allow connections requested by the main FTP connection.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6239736
From http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-7.html

"Inside the netfilter distribution, there are currently modules for ftp: ip_conntrack_ftp.o and ip_nat_ftp.o. If you insmod these into your kernel (or you compile them in permanently), then doing any kind of NAT on ftp connections should work"

Now please reject the above "answer", since it is apparently wrong, and grab (or compile) the aformentioned modules or use proxies, etc...

BTW, this isn't really rocket science - this info comes from the second URL returned by doing an altavista search for:

+"ip_masq_ftp" +2.4 +kernel

Cironian - please post your answers as comments (as the text at the bottom of every page suggests) unless your answer _will_ solve the problem, beyond a shadow of a doubt.  I'd say there are several shadows of doubt here, and your answer was not definitive because of it.  I can forgive this error, though, since your account age is only a few days old.  Your advice on which kernel option to use was helpful, but you made nary a mention of it generating a module or the need to be sure it is inserted (sounds like your system is doing it for you, or you said "Y" to the kernel option rather than "M") - all this info (and more) should be included in a proper "answer".  The fact that you had to guess about the default policy (DROP or ACCEPT) should have been another hint that your info wasn't quite 'answer' material.

-Jon

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6239747
I guess I said wrong above when I meant 'rather incomplete'.  

It all equals out to the same thing, since it's all-or-nothing for the questioner (accept or reject the 'answer')

-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6239752
MCI Consultants - not surprising it works on some FTP sites - some servers set passive mode by default, and hence they will always work for you.

-Jon
0
 

Expert Comment

by:milkfilk
ID: 6265561
That module is on Mandrake distros for sure.  I had it working in production myself and it solved a million and a half FTP problems.
0
 

Expert Comment

by:G2MD
ID: 6369833
I had this problem and after many attempts decided to change kernel to 2.4.7 and use iptables instead of ipchains, so disabled ipchains and add the followings lines in rc.local

depmod -a
modprobe iptable_nat
insmod ip_nat_ftp
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.2.0/255.255.255.0 -j MASQUERADE

To enable netfilter/iptable go to http://www.e-infomax.com/ipmasq/howto/beta/c-html/index.html and look for kernel 2.4.x only, because it's your kernel.

0
 

Expert Comment

by:Loggytronic
ID: 6640105
Help help help...

I have a similar problem and don't seem to be able to get it working.
I am using iptables and I have definitely got the module ip_conntrack_ftp installed (And therefore all that it depends on which is basically all the ipfilter stuff!)

As far as I can tell the conntrack ftp module is failing to mangle the ftp connections so that they work in active mode. I am getting "Illegal port command" back from the FTP servers (presumably because my client will have send "PORT 10.0.0.2:blah" to it and it was never changed by the conntrack ftp module).

Anyone got any ideas? If I was using ipchains I would insmod the ip_masq_ftp module and expect it to work. Since I am now using iptables, I have insmodded ip_conntrack_ftp and I am expecting it to work...... :(

Help? Thanks
Chris Tallon
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 8276217
All,
I am unlocking this question in preparation for cleanup.  I will return in 7 days to finalize this question.  Please leave any recommendations for the final state of this question, I will take all recommendations into consideration.  Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund.  Thanks.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now