Board index Linux Security

problem with ftp behind a linux firewall

problem with ftp behind a linux firewall

Post by Sandro Polent » Fri, 25 Feb 2000 04:00:00



Hello,

I am having some trouble with configurating my Linux firewall (Redhat
6.0). I am using the following chains for ftp:
=================================================================================
-A input -i eth1 -p TCP -s <my IP nr> 1024: -d 0.0.0.0/0 ftp -j ACCEPT
-A input -i eth1 -p TCP -s 0.0.0.0/0 ftp -d <my IP nr> 1024: -j ACCEPT
-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 ftp -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 ftp -d 172.16.0.0/16 1024: -j
ACCEPT

-A input -i eth1 -p TCP -s <my IP nr> 1024: -d 0.0.0.0/0 ftp-data -j
ACCEPT
-A input -i eth1 -p TCP -s 0.0.0.0/0 ftp-data -d <my IP nr> 1024: -j
ACCEPT
-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 ftp-data -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 ftp-data -d 172.16.0.0/16 1024: -j
ACCEPT

-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 auth -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 auth -d 172.16.0.0/16 1024: -j
ACCEPT
(this is a must for ftp-ing from NT to my Linux firewall)
=================================================================================

ftp from my Linux firewall to for example: ftp.xs4all.nl goes well
ftp from my NT to my Linux firewall goes well
but ftp from my NT to "ftp.xs4all.nl" fails with the following error:

==========================================================
E:\>ftp ftp.xs4all.nl
Connected to reflectix.xs4all.nl.
220 ProFTPD 1.2.0pre8 Server (XS4ALL FTP Server) [refle
User (reflectix.xs4all.nl:(none)): anonymous
331 Anonymous login ok, send your complete e-mail addre
Password:
230-
 Welkom op de FTP server van XS4ALL
 ----------------------------------

230 Anonymous access granted, restrictions apply.
ftp> ls
500 Illegal PORT command.
425 Can't build data connection: Connection refused        
==========================================================

If I use my "sniffer" I see that my NT machine is making the following
actions:

Quote:> Req. from Port 61078, 'PORT 172,16,19,11,4,105' (from NT to xs4all)
> Resp. to Port 61078, '500 Illegal PORT command'
> Req. from Port 61078, 'NLST'
> Resp. to Port 61078, '425 Can't build data connection: Conn.......

Thanx for reading my problem.

Does anybody has an idee to solve this problem?

Sandro

 
 
 
Top

problem with ftp behind a linux firewall

Post by Sandro Polent » Fri, 25 Feb 2000 04:00:00


Hello,

I am having some trouble with configurating my Linux firewall (Redhat
6.0). I am using the following chains for ftp:
=================================================================================
-A input -i eth1 -p TCP -s <my IP nr> 1024: -d 0.0.0.0/0 ftp -j ACCEPT
-A input -i eth1 -p TCP -s 0.0.0.0/0 ftp -d <my IP nr> 1024: -j ACCEPT
-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 ftp -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 ftp -d 172.16.0.0/16 1024: -j
ACCEPT

-A input -i eth1 -p TCP -s <my IP nr> 1024: -d 0.0.0.0/0 ftp-data -j
ACCEPT
-A input -i eth1 -p TCP -s 0.0.0.0/0 ftp-data -d <my IP nr> 1024: -j
ACCEPT
-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 ftp-data -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 ftp-data -d 172.16.0.0/16 1024: -j
ACCEPT

-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 auth -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 auth -d 172.16.0.0/16 1024: -j
ACCEPT
(this is a must for ftp-ing from NT to my Linux firewall)
=================================================================================

ftp from my Linux firewall to for example: ftp.xs4all.nl goes well
ftp from my NT to my Linux firewall goes well
but ftp from my NT to "ftp.xs4all.nl" fails with the following error:

==========================================================
E:\>ftp ftp.xs4all.nl
Connected to reflectix.xs4all.nl.
220 ProFTPD 1.2.0pre8 Server (XS4ALL FTP Server) [refle
User (reflectix.xs4all.nl:(none)): anonymous
331 Anonymous login ok, send your complete e-mail addre
Password:
230-
 Welkom op de FTP server van XS4ALL
 ----------------------------------

230 Anonymous access granted, restrictions apply.
ftp> ls
500 Illegal PORT command.
425 Can't build data connection: Connection refused        
==========================================================

If I use my "sniffer" I see that my NT machine is making the following
actions:

Quote:> Req. from Port 61078, 'PORT 172,16,19,11,4,105' (from NT to xs4all)
> Resp. to Port 61078, '500 Illegal PORT command'
> Req. from Port 61078, 'NLST'
> Resp. to Port 61078, '425 Can't build data connection: Conn.......

Thanx for reading my problem.

Does anybody has an idee to solve this problem?

Sandro

 
 
 
Top

problem with ftp behind a linux firewall

Post by Sandro Polent » Fri, 25 Feb 2000 04:00:00


Hello,

I am having some trouble with configurating my Linux firewall (Redhat
6.0). I am using the following chains for ftp:
=================================================================================
-A input -i eth1 -p TCP -s <my IP nr> 1024: -d 0.0.0.0/0 ftp -j ACCEPT
-A input -i eth1 -p TCP -s 0.0.0.0/0 ftp -d <my IP nr> 1024: -j ACCEPT
-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 ftp -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 ftp -d 172.16.0.0/16 1024: -j
ACCEPT

-A input -i eth1 -p TCP -s <my IP nr> 1024: -d 0.0.0.0/0 ftp-data -j
ACCEPT
-A input -i eth1 -p TCP -s 0.0.0.0/0 ftp-data -d <my IP nr> 1024: -j
ACCEPT
-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 ftp-data -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 ftp-data -d 172.16.0.0/16 1024: -j
ACCEPT

-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 auth -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 auth -d 172.16.0.0/16 1024: -j
ACCEPT
(this is a must for ftp-ing from NT to my Linux firewall)
=================================================================================

ftp from my Linux firewall to for example: ftp.xs4all.nl goes well
ftp from my NT to my Linux firewall goes well
but ftp from my NT to "ftp.xs4all.nl" fails with the following error:

==========================================================
E:\>ftp ftp.xs4all.nl
Connected to reflectix.xs4all.nl.
220 ProFTPD 1.2.0pre8 Server (XS4ALL FTP Server) [refle
User (reflectix.xs4all.nl:(none)): anonymous
331 Anonymous login ok, send your complete e-mail addre
Password:
230-
 Welkom op de FTP server van XS4ALL
 ----------------------------------

230 Anonymous access granted, restrictions apply.
ftp> ls
500 Illegal PORT command.
425 Can't build data connection: Connection refused        
==========================================================

If I use my "sniffer" I see that my NT machine is making the following
actions:

Quote:> Req. from Port 61078, 'PORT 172,16,19,11,4,105' (from NT to xs4all)
> Resp. to Port 61078, '500 Illegal PORT command'
> Req. from Port 61078, 'NLST'
> Resp. to Port 61078, '425 Can't build data connection: Conn.......

Thanx for reading my problem.

Does anybody has an idee to solve this problem?

Sandro

 
 
 
Top

problem with ftp behind a linux firewall

Post by Sandro Polent » Fri, 25 Feb 2000 04:00:00


Hello,

I am having some trouble with configurating my Linux firewall (Redhat
6.0). I am using the following chains for ftp:
=================================================================================
-A input -i eth1 -p TCP -s <my IP nr> 1024: -d 0.0.0.0/0 ftp -j ACCEPT
-A input -i eth1 -p TCP -s 0.0.0.0/0 ftp -d <my IP nr> 1024: -j ACCEPT
-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 ftp -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 ftp -d 172.16.0.0/16 1024: -j
ACCEPT

-A input -i eth1 -p TCP -s <my IP nr> 1024: -d 0.0.0.0/0 ftp-data -j
ACCEPT
-A input -i eth1 -p TCP -s 0.0.0.0/0 ftp-data -d <my IP nr> 1024: -j
ACCEPT
-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 ftp-data -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 ftp-data -d 172.16.0.0/16 1024: -j
ACCEPT

-A input -i eth0 -p TCP -s 172.16.0.0/16 1024: -d 0.0.0.0/0 auth -j
ACCEPT
-A input -i eth0 -p TCP -s 0.0.0.0/0 auth -d 172.16.0.0/16 1024: -j
ACCEPT
(this is a must for ftp-ing from NT to my Linux firewall)
=================================================================================

ftp from my Linux firewall to for example: ftp.xs4all.nl goes well
ftp from my NT to my Linux firewall goes well
but ftp from my NT to "ftp.xs4all.nl" fails with the following error:

==========================================================
E:\>ftp ftp.xs4all.nl
Connected to reflectix.xs4all.nl.
220 ProFTPD 1.2.0pre8 Server (XS4ALL FTP Server) [refle
User (reflectix.xs4all.nl:(none)): anonymous
331 Anonymous login ok, send your complete e-mail addre
Password:
230-
 Welkom op de FTP server van XS4ALL
 ----------------------------------

230 Anonymous access granted, restrictions apply.
ftp> ls
500 Illegal PORT command.
425 Can't build data connection: Connection refused        
==========================================================

If I use my "sniffer" I see that my NT machine is making the following
actions:

Quote:> Req. from Port 61078, 'PORT 172,16,19,11,4,105' (from NT to xs4all)
> Resp. to Port 61078, '500 Illegal PORT command'
> Req. from Port 61078, 'NLST'
> Resp. to Port 61078, '425 Can't build data connection: Conn.......

Thanx for reading my problem.

Does anybody has an idee to solve this problem?

Sandro

 
 
 
Top

problem with ftp behind a linux firewall

Post by Bill Swishe » Fri, 25 Feb 2000 04:00:00



> Does anybody has an idee to solve this problem?

Try this....in the file /etc/rc.d/rc.local insert the following lines:

# Fix passive ftp problem....and maybe realaudio
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_raudio.o

Actually you only need the one for ftp...but ya never know....

--
No group of professionals meets except to conspire against the public at large.
                -- Mark Twain

 
 
 
Top

problem with ftp behind a linux firewall

Post by s.pole.. » Sat, 26 Feb 2000 04:00:00


Thank you Bill.
It fixed the problem :0)
Sandro




>> Does anybody has an idee to solve this problem?

>Try this....in the file /etc/rc.d/rc.local insert the following lines:

># Fix passive ftp problem....and maybe realaudio
>/sbin/modprobe ip_masq_ftp.o
>/sbin/modprobe ip_masq_raudio.o

>Actually you only need the one for ftp...but ya never know....

 
 
 
Top

problem with ftp behind a linux firewall

Post by Sandr » Sat, 26 Feb 2000 04:00:00



> Does anybody has an idee to solve this problem?

Try this....in the file /etc/rc.d/rc.local insert the following lines:

# Fix passive ftp problem....and maybe realaudio
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_raudio.o

Actually you only need the one for ftp...but ya never know....

On Thu, 24 Feb 2000 22:22:27 +0100, Sandro Polenta

The above did fixed half of my problem. From a dos-box it is
functioning good. But when I use Netscape it does not function. Why is
this?

Has it to do with active ftp?

Sandro

 
 
 
Top

1. FTP server behind linux firewall communicating w/ FTP behind linux firewall

I have a Windows-based FTP server (G6) behind a linux firewall box
running ipchain and ipmasqadm portfw rules to enable communication
with the out side world. I can connect to this server from the
outside, but PASV doesn't work. I have rules that allow ports above
1023 for the PASV traffic and I also had put the FTP server on a
haigher port other than 21.  I portfw'd the same port through to the
internal Windows machine running the ftp server as well as forwarding
the ftp-data. I have the ip_masq_ftp module loaded. I'm not sure why
PASV doesn't work.

Also, the other thing I'm trying to get working is communicating with
this same FTP server from a client within another linux-firewalled
(also using ipchains and portfw rules) LAN. I can connect, but can't
get any data transfers going, including directory listings, using
either PASV or regular FTP. I'm not sure if I should be forwarding
ftp-data to the internal machine running the ftp client.

What I ultimately want to do is be able to connect from a client
within on linux firewalled LAN to an ftp server inside another linux
firewalled LAN on a non-standard port and using PASV if possible. Any
help would be appreciated.

2. Processor Upgrade with Linux???

3. FTP server behind on firewall FTP client behind another

4. Security violation on my machine

5. FreeBSD and natd - routing from behind firewall to behind firewall.

6. Where are net-2 setup docs, FAQs, etc.?

7. FTP - Client and FTP server behind firewalls

8. capacity of exabyte 8200?

9. FTP client inside linux firewall communicating with FTP server inside another linux firewall

10. Ftp Behind firewall Problem

11. FTP behind Linux Firewall

12. ftp problems behind firewall

13. problem with ftp client behind redhat 7.2 iptables firewall


All times are UTC
Board index