Very Computer

I have a question (or two) about the issue relating to ftp traffic through a
Linux ipchains firewall.

I've noticed that Windoze clients have problems with ftping through an
ipchains firewall
with the return traffic from a target ftp server.  i.e  Windoze connects to
an ftp server just fine,
but the return traffic doesn't get back to the client.  I've researched this
problem on the net,
and have seen reference to ip_masq_ftp.

I've also noticed that at least Linux clients (maybe others) don't suffer
this problem.

My first question is about why the Windoze clients have this trouble - why
is that?  What does
the Windoze ftp client do differently than a Linux ftp client?

Secondly, after searching for ip_masq_ftp, I've come up with nothing.  It's
not on my system anywhere.
I do however see a module called ip_nat_ftp, but when I try to load it in my
firewall script with
"modprobe ip_nat_ftp" I get the following errors:

/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_conntrack.o: init_module:
Device or resource busy

Hint: insmod errors can be caused by incorrect module parameters, including
invalid IO or IRQ parameters

/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_conntrack.o failed

/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod
ip_nat_ftp failed

What is wrong with the "modprobe ip_nat_ftp" command?

ip_masq_ftp seems to be an ipchains module - and not for iptables.  Is this
correct?  If so, must I now
employ iptables (and different modules) to fix the Windoze ftp problem?

Thanks for any help!

Regards - and Happy Holidays!

-Craig

Hi!,

I suspect it is a case of the ftp client not entering into a "passive" mode.
Check to see whether the "passive" mode is supported on your Windows ftp
client.

Quote:

> Secondly, after searching for ip_masq_ftp, I've come up with nothing.  It's
> not on my system anywhere. I do however see a module called ip_nat_ftp, but
> when I try to load it in my firewall script with
> "modprobe ip_nat_ftp" I get the following errors:

> /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_conntrack.o:
> init_module: Device or resource busy

> Hint: insmod errors can be caused by incorrect module parameters, including
> invalid IO or IRQ parameters

> /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod
> /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_conntrack.o failed
> /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod
> ip_nat_ftp failed

> What is wrong with the "modprobe ip_nat_ftp" command?

Okay, you will need to remove the ipchains module which is probably loaded on
your system in the first place.  Issue the command: /sbin/rmmod ipchains, and
then try the other commands and see whether you get any more success.

Quote:> ip_masq_ftp seems to be an ipchains module - and not for iptables.  Is this
> correct?  If so, must I now employ iptables (and different modules) to fix
> the Windoze ftp problem?

Use the modules you mentioned above, but specifically:

/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

Most likely it is not the Linux/Windows differene, but the diference between
active and pasive FTP.

Greetings
Bernd