?
Solved

RH6.1 masquerade problems

Posted on 2001-07-11
3
Medium Priority
?
206 Views
Last Modified: 2010-03-18
I have a RH6.1 machine that I have configured to be a firewall/Internet gateway... until yesterday.

I installed 6.1, configured it, and it was running well but all of the sudden it won't let me list(ls) directories when I FTP to a remote server. After taking VERY extreme measures, I finally isolated it down to an ipchains line. If I remark it out, Masquerading works great. If I put it in then it seems a little more sluggish, but I lose the "ls" command in an FTP session. That is locally at the machine AND masqueraded from w2000/w98 machines.

The line is: "/sbin/ipchains -i ppp0 -p tcp -y -j DENY"

What is weird is that it used to work... all the way until yesterday.

Can someone either help me configure the machine so this rule will work or help me out to write some rules that will DENY inbound TCP SYN packet yet still enable me to FTP?
0
Comment
Question by:emherman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
vsamtani earned 400 total points
ID: 6277279
First of all, have you tried ftp in passive mode, where the server is instructed not to attempt to make data connections back to the client? This should work, while retaining your ipchains configuration.

If you want to enable ftp in active mode, make sure you have ip_masq_ftp loaded (insmod ip_masq_ftp), and modify the ipchains command you have quoted:

/sbin/ipchains -i ppp0 -p tcp --destination-port ! 20 -y -j DENY

The modified version will not be triggered by SYN packets coming in to port 20, which is the ftp-data port.

Vijay
0
 
LVL 1

Author Comment

by:emherman
ID: 6277558
I commented out my lines and added your line. I then nmaped it from a non-network connected machine (which shows several services as open, including FTP). I telneted and FTP'd from the Internet to the linux box and the "connection was closed" by the linux box, not allowing me access (which is what I was after). I can still FTP from the network out to remote Internet sites. What about port 20? Is that now vulnerable or would someone have to establish the connection on 23 before they get 20?
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6277649
Port 20 should only be listened on by an ftp client awaiting a connection from a server. So most of the time, it should be closed, because there will be nothing listening on it. However, while an ftp client is listening, it is a potential security risk. If it's a concern to you, then you will have to go with a more sophisticated firewall (eg, the new netfilter code in the 2.4 kernel), or restrict yourself to passive mode ftp.

Vijay
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question