# working code with redhat 6.2 (kernel 2.2) in my firewall /sbin/modprobe ip_masq_ftp # FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server # ---------------------------------------------------------------- /sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR 21 -j ACCEPT -l /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR 21 \ -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # Normal Port Mode FTP Data Channel Responses /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR 20 \ -d $ANYWHERE $UNPRIVPORTS -j ACCEPT -l /sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR 20 -j ACCEPT # This will clear all previous port forward rules echo 1 > /proc/sys/net/ipv4/ip_forward /usr/sbin/ipmasqadm portfw -f # This will redirect ftp service /usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 21 -R x.x.x.x /usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 20 -R x.x.x.x 20 > I have a customer running an ipchains based firewall. Using ipmasqadm > portfw we're doing static NAT to a webserver behind the firewall with > private address space. I've been searching around the net for some > time trying to figure out how to open up FTP to a translated host > behind the firewall. And before you ask, yes the ip_masq_ftp.o module > is loaded on the firewall, but this seems to only work for masqueraded > hosts behind the fw making ftp connections out to the internet. > Reversing the process (without masq) doesn't seem to work. The ftp > server behind the firewall does *NOT* support passive mode file > transfer. > > Is ipmasqadm portfw the wrong way to go with this? Is ipmasqadm autofw > the way to go? I could use references to good documentation on the use > of both portfw and autofw regardless of a solution to this problem. > > Anyone have a pointer or reference? Or just example command syntax > that would allow this? Is is possible at all? > > Thanks in advance for your help. > > Keith T. Morgan > Chief of Information Security > Terradon Communications > keith.morganat_private > 304-755-8291 x142 > > _______________________________________________ > firewall-wizards mailing list > firewall-wizardsat_private > http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://www.nfr.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 18:50:35 PDT