RH6.1 masquerade problems

Posted on 2001-07-11
Last Modified: 2010-03-18
I have a RH6.1 machine that I have configured to be a firewall/Internet gateway... until yesterday.

I installed 6.1, configured it, and it was running well but all of the sudden it won't let me list(ls) directories when I FTP to a remote server. After taking VERY extreme measures, I finally isolated it down to an ipchains line. If I remark it out, Masquerading works great. If I put it in then it seems a little more sluggish, but I lose the "ls" command in an FTP session. That is locally at the machine AND masqueraded from w2000/w98 machines.

The line is: "/sbin/ipchains -i ppp0 -p tcp -y -j DENY"

What is weird is that it used to work... all the way until yesterday.

Can someone either help me configure the machine so this rule will work or help me out to write some rules that will DENY inbound TCP SYN packet yet still enable me to FTP?
Question by:emherman
  • 2

Accepted Solution

vsamtani earned 100 total points
Comment Utility
First of all, have you tried ftp in passive mode, where the server is instructed not to attempt to make data connections back to the client? This should work, while retaining your ipchains configuration.

If you want to enable ftp in active mode, make sure you have ip_masq_ftp loaded (insmod ip_masq_ftp), and modify the ipchains command you have quoted:

/sbin/ipchains -i ppp0 -p tcp --destination-port ! 20 -y -j DENY

The modified version will not be triggered by SYN packets coming in to port 20, which is the ftp-data port.


Author Comment

Comment Utility
I commented out my lines and added your line. I then nmaped it from a non-network connected machine (which shows several services as open, including FTP). I telneted and FTP'd from the Internet to the linux box and the "connection was closed" by the linux box, not allowing me access (which is what I was after). I can still FTP from the network out to remote Internet sites. What about port 20? Is that now vulnerable or would someone have to establish the connection on 23 before they get 20?

Expert Comment

Comment Utility
Port 20 should only be listened on by an ftp client awaiting a connection from a server. So most of the time, it should be closed, because there will be nothing listening on it. However, while an ftp client is listening, it is a potential security risk. If it's a concern to you, then you will have to go with a more sophisticated firewall (eg, the new netfilter code in the 2.4 kernel), or restrict yourself to passive mode ftp.


Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now