RH6.1 masquerade problems

Posted on 2001-07-11
Last Modified: 2010-03-18
I have a RH6.1 machine that I have configured to be a firewall/Internet gateway... until yesterday.

I installed 6.1, configured it, and it was running well but all of the sudden it won't let me list(ls) directories when I FTP to a remote server. After taking VERY extreme measures, I finally isolated it down to an ipchains line. If I remark it out, Masquerading works great. If I put it in then it seems a little more sluggish, but I lose the "ls" command in an FTP session. That is locally at the machine AND masqueraded from w2000/w98 machines.

The line is: "/sbin/ipchains -i ppp0 -p tcp -y -j DENY"

What is weird is that it used to work... all the way until yesterday.

Can someone either help me configure the machine so this rule will work or help me out to write some rules that will DENY inbound TCP SYN packet yet still enable me to FTP?
Question by:emherman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

vsamtani earned 100 total points
ID: 6277279
First of all, have you tried ftp in passive mode, where the server is instructed not to attempt to make data connections back to the client? This should work, while retaining your ipchains configuration.

If you want to enable ftp in active mode, make sure you have ip_masq_ftp loaded (insmod ip_masq_ftp), and modify the ipchains command you have quoted:

/sbin/ipchains -i ppp0 -p tcp --destination-port ! 20 -y -j DENY

The modified version will not be triggered by SYN packets coming in to port 20, which is the ftp-data port.


Author Comment

ID: 6277558
I commented out my lines and added your line. I then nmaped it from a non-network connected machine (which shows several services as open, including FTP). I telneted and FTP'd from the Internet to the linux box and the "connection was closed" by the linux box, not allowing me access (which is what I was after). I can still FTP from the network out to remote Internet sites. What about port 20? Is that now vulnerable or would someone have to establish the connection on 23 before they get 20?

Expert Comment

ID: 6277649
Port 20 should only be listened on by an ftp client awaiting a connection from a server. So most of the time, it should be closed, because there will be nothing listening on it. However, while an ftp client is listening, it is a potential security risk. If it's a concern to you, then you will have to go with a more sophisticated firewall (eg, the new netfilter code in the 2.4 kernel), or restrict yourself to passive mode ftp.


Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question