RH6.1 masquerade problems

I have a RH6.1 machine that I have configured to be a firewall/Internet gateway... until yesterday.

I installed 6.1, configured it, and it was running well but all of the sudden it won't let me list(ls) directories when I FTP to a remote server. After taking VERY extreme measures, I finally isolated it down to an ipchains line. If I remark it out, Masquerading works great. If I put it in then it seems a little more sluggish, but I lose the "ls" command in an FTP session. That is locally at the machine AND masqueraded from w2000/w98 machines.

The line is: "/sbin/ipchains -i ppp0 -p tcp -y -j DENY"

What is weird is that it used to work... all the way until yesterday.

Can someone either help me configure the machine so this rule will work or help me out to write some rules that will DENY inbound TCP SYN packet yet still enable me to FTP?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

vsamtaniConnect With a Mentor Commented:
First of all, have you tried ftp in passive mode, where the server is instructed not to attempt to make data connections back to the client? This should work, while retaining your ipchains configuration.

If you want to enable ftp in active mode, make sure you have ip_masq_ftp loaded (insmod ip_masq_ftp), and modify the ipchains command you have quoted:

/sbin/ipchains -i ppp0 -p tcp --destination-port ! 20 -y -j DENY

The modified version will not be triggered by SYN packets coming in to port 20, which is the ftp-data port.

emhermanAuthor Commented:
I commented out my lines and added your line. I then nmaped it from a non-network connected machine (which shows several services as open, including FTP). I telneted and FTP'd from the Internet to the linux box and the "connection was closed" by the linux box, not allowing me access (which is what I was after). I can still FTP from the network out to remote Internet sites. What about port 20? Is that now vulnerable or would someone have to establish the connection on 23 before they get 20?
Port 20 should only be listened on by an ftp client awaiting a connection from a server. So most of the time, it should be closed, because there will be nothing listening on it. However, while an ftp client is listening, it is a potential security risk. If it's a concern to you, then you will have to go with a more sophisticated firewall (eg, the new netfilter code in the 2.4 kernel), or restrict yourself to passive mode ftp.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.