Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


RH6.1 masquerade problems

Posted on 2001-07-11
Medium Priority
Last Modified: 2010-03-18
I have a RH6.1 machine that I have configured to be a firewall/Internet gateway... until yesterday.

I installed 6.1, configured it, and it was running well but all of the sudden it won't let me list(ls) directories when I FTP to a remote server. After taking VERY extreme measures, I finally isolated it down to an ipchains line. If I remark it out, Masquerading works great. If I put it in then it seems a little more sluggish, but I lose the "ls" command in an FTP session. That is locally at the machine AND masqueraded from w2000/w98 machines.

The line is: "/sbin/ipchains -i ppp0 -p tcp -y -j DENY"

What is weird is that it used to work... all the way until yesterday.

Can someone either help me configure the machine so this rule will work or help me out to write some rules that will DENY inbound TCP SYN packet yet still enable me to FTP?
Question by:emherman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

vsamtani earned 400 total points
ID: 6277279
First of all, have you tried ftp in passive mode, where the server is instructed not to attempt to make data connections back to the client? This should work, while retaining your ipchains configuration.

If you want to enable ftp in active mode, make sure you have ip_masq_ftp loaded (insmod ip_masq_ftp), and modify the ipchains command you have quoted:

/sbin/ipchains -i ppp0 -p tcp --destination-port ! 20 -y -j DENY

The modified version will not be triggered by SYN packets coming in to port 20, which is the ftp-data port.


Author Comment

ID: 6277558
I commented out my lines and added your line. I then nmaped it from a non-network connected machine (which shows several services as open, including FTP). I telneted and FTP'd from the Internet to the linux box and the "connection was closed" by the linux box, not allowing me access (which is what I was after). I can still FTP from the network out to remote Internet sites. What about port 20? Is that now vulnerable or would someone have to establish the connection on 23 before they get 20?

Expert Comment

ID: 6277649
Port 20 should only be listened on by an ftp client awaiting a connection from a server. So most of the time, it should be closed, because there will be nothing listening on it. However, while an ftp client is listening, it is a potential security risk. If it's a concern to you, then you will have to go with a more sophisticated firewall (eg, the new netfilter code in the 2.4 kernel), or restrict yourself to passive mode ftp.


Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question