[ale] sunday morning ipchains

jason vinson jvinson at snapserver.com
Sun Aug 4 15:25:46 EDT 2002


On Sun, 2002-08-04 at 15:02, Jonathan Glass wrote:
> I had a hard time getting it to work, and finally resorted to IPMASQADM
> and PORTFW
> http://www.thelinuxreview.com/howto/IP-MASQ/x1525.htm
> 

i think i've almost got this working.

i can get into the box from the outside but i can't get a directory
listing, even in passive mode.  from what i understand about ftp, a
packet goes through this process:

incoming packet is sent to ppp0 ip targeted at port 21, the response
sent back to the client is sent on port 20, then a data connection is
established at a port above 1024, which i assume means i need to open a
range of ports above 1024.

is this correct or do i have something wrong here?
Jason


> HTH
> 
> Jonathan
> -----Original Message-----
> From: jason vinson [mailto:jvinson at snapserver.com] 
> Sent: Sunday, August 04, 2002 2:34 PM
> To: Jonathan Glass
> Subject: RE: [ale] sunday morning ipchains
> 
> 
> On Sun, 2002-08-04 at 13:45, Jonathan Glass wrote:
> > Don't you need to use portforwarding to give access to your FTP 
> > server? I've always used ipmasadm portfw to allow incoming 
> > connections...I think.
> 
> i was under the impression that third and fourth chains were taking care
> of the port forwarding.  is this not correct?
> 
> # this appends a chain to the forward set that uses a source 
> # of any ip that sends a request on ports 20 and 21 on the tcp #
> protocol to an internal destination of 192.168.0.10 /sbin/ipchains -A
> forward -j MASQ -s 0.0.0.0/0 20:21 -p tcp -d 192.168.0.10 
> 
> # this does the same thing for the udp protocol
> /sbin/ipchains -A forward -j MASQ -s 0.0.0.0/0 20:21 -p udp -d
> 192.168.0.10
> 
> is this not correct?
> Jason
> 
> 
> > 
> > Note: This is off the top of my head.  I don't have acccess to my 
> > firewall script right now.
> > 
> > Thanks
> > 
> > Jonathan
> > 
> > -----Original Message-----
> > From: jason vinson [mailto:jvinson at snapserver.com]
> > Sent: Sunday, August 04, 2002 12:16 PM
> > To: ale at ale.org
> > Subject: [ale] sunday morning ipchains
> > 
> > 
> > Hi guys,
> > 
> > I am having a bit of trouble with ipchains.  I created a coyote linux 
> > floppy and it runs nicely.  My home network has an ftp server on it 
> > that i would like to have accesable from the outside world, but i 
> > can't seem to get ipchains to work properly.  here's my rule set (keep
> 
> > in mind i am fairly new at this):
> > 
> > /sbin/ipchains -P forward DENY
> > 
> > /sbin/ipchains -A forward -j MASQ -s $LOCAL_NETWORK/$LOCAL_NETMASK -d 
> > 0.0.0.0/0
> > 
> > /sbin/ipchains -A forward -j MASQ -s 0.0.0.0/0 20:21 -p tcp -d 
> > 192.168.0.10 /sbin/ipchains -A forward -j MASQ -s 0.0.0.0/0 20:21 -p 
> > udp -d 192.168.0.10
> > 
> > and here's what i see from "ipchains -L":
> > 
> > Chain input (policy ACCEPT):
> > Chain forward (policy DENY):
> > target prot opt     source          destination   ports
> > MASQ   all  ------  192.168.0.0/24  anywhere      n/a
> > MASQ   tcp  ------  anywhere        192.168.0.10  ftp-data:ftp ->
> any
> > MASQ   udp  ------  anywhere        192.168.0.10  20:fsp ->   any
> > Chain output (policy ACCEPT):
> > 
> > any ideas on what i should do?
> > 
> > and please be gentle  :)
> > 
> > thanks in advance.
> > Jason
> > 
> > 
> > ---
> > This message has been sent through the ALE general discussion list. 
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems 
> > should be
> > 
> > sent to listmaster at ale dot org.
> > 
> > 
> > ---
> > This message has been sent through the ALE general discussion list. 
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems 
> > should be sent to listmaster at ale dot org.
> 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list