Re: [fw-wiz] ipchains * static nat * FTP

• Previous message: Jose Nazario: "Re: [fw-wiz] Open Source HTTP Proxy for Firewall?"
• In reply to: Keith.Morgan: "[fw-wiz] ipchains * static nat * FTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

# working code with redhat 6.2 (kernel 2.2) in my firewall

/sbin/modprobe ip_masq_ftp

# FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server
# ----------------------------------------------------------------
/sbin/ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
         -s $ANYWHERE $UNPRIVPORTS \
         -d $IPADDR 21 -j ACCEPT -l

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
         -s $IPADDR 21 \
         -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# Normal Port Mode FTP Data Channel Responses
/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
         -s $IPADDR 20 \
         -d $ANYWHERE $UNPRIVPORTS -j ACCEPT -l

/sbin/ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
         -s $ANYWHERE $UNPRIVPORTS \
         -d $IPADDR 20 -j ACCEPT

# This will clear all previous port forward rules
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/ipmasqadm portfw -f

# This will redirect ftp service
/usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 21 -R x.x.x.x
/usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 20 -R x.x.x.x 20


> I have a customer running an ipchains based firewall.  Using ipmasqadm
> portfw we're doing static NAT to a webserver behind the firewall with
> private address space.  I've been searching around the net for some
> time trying to figure out how to open up FTP to a translated host
> behind the firewall.  And before you ask, yes the ip_masq_ftp.o module
> is loaded on the firewall, but this seems to only work for masqueraded
> hosts behind the fw making ftp connections out to the internet. 
> Reversing the process (without masq) doesn't seem to work.  The ftp
> server behind the firewall does *NOT* support passive mode file
> transfer.
> 
> Is ipmasqadm portfw the wrong way to go with this?  Is ipmasqadm autofw
> the way to go?  I could use references to good documentation on the use
> of both portfw and autofw regardless of a solution to this problem.    
> 
> Anyone have a pointer or reference?  Or just example command syntax
> that would allow this?  Is is possible at all?
> 
> Thanks in advance for your help.
> 
> Keith T. Morgan
> Chief of Information Security
> Terradon Communications
> keith.morganat_private
> 304-755-8291 x142
> 
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizardsat_private
> http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://www.nfr.com/mailman/listinfo/firewall-wizards

• Next message: Bill Asher: "RE: [fw-wiz] Open Source HTTP Proxy for Firewall?"
• Previous message: Jose Nazario: "Re: [fw-wiz] Open Source HTTP Proxy for Firewall?"
• In reply to: Keith.Morgan: "[fw-wiz] ipchains * static nat * FTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 18:50:35 PDT