ftp

ftp

[Peter Marshall]

[-- Attachment #1: Type: text/plain, Size: 470 bytes --]

Sorry to post the same question again .... I am at a loss as to what to put for rules for my ftp server (which is behind the firewall).
I know they go on the forward chain ....
There are going to be people connecting to it with a username / password and also anonymously from outside ...

My main question I guess is should I set it up for passive or active transfers ....
Or, does the RELATED option take care of those problems >

Thank you for the help

Peter

[-- Attachment #2: Type: text/html, Size: 1194 bytes --]

RE: ftp

[Rob Sterenborg]

> Sorry to post the same question again .... I am at a loss as 
> to what to put for rules for my ftp server (which is behind 
> the firewall).
> I know they go on the forward chain ....
> There are going to be people connecting to it with a username 
> / password and also anonymously from outside ...
>  
> My main question I guess is should I set it up for passive or 
> active transfers ....
> Or, does the RELATED option take care of those problems >

Use ip_conntrack_ftp and ip_nat_ftp.
Something like (with information from your previous post) :

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

$IPT -P FORWARD DROP
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -d <ip_ftpsvr> -p tcp \
  --dport 21 --j ACCEPT
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 21 \
  -j DNAT <ip_ftpsvr>


Gr,
Rob

Re: ftp

[Peter Marshall]

I actually don't need the dnat as I have internet routable ip's in my dmz
.... Thank you for the info.  My question now is, will your rule take care
of both passive and active ftp ?  I would prefer to just use active .. but I
know many clients would have their own issues .. grr .. stupid ftp ....

Peter.

----- Original Message ----- 
From: "Rob Sterenborg" <rob@sterenborg.info>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, May 27, 2004 1:43 PM
Subject: RE: ftp


> Sorry to post the same question again .... I am at a loss as
> to what to put for rules for my ftp server (which is behind
> the firewall).
> I know they go on the forward chain ....
> There are going to be people connecting to it with a username
> / password and also anonymously from outside ...
>
> My main question I guess is should I set it up for passive or
> active transfers ....
> Or, does the RELATED option take care of those problems >

Use ip_conntrack_ftp and ip_nat_ftp.
Something like (with information from your previous post) :

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

$IPT -P FORWARD DROP
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -d <ip_ftpsvr> -p tcp \
  --dport 21 --j ACCEPT
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 21 \
  -j DNAT <ip_ftpsvr>


Gr,
Rob

Re: ftp

[Antony Stone]

On Thursday 27 May 2004 6:59 pm, Peter Marshall wrote:

> I actually don't need the dnat as I have internet routable ip's in my dmz
> .... Thank you for the info.  My question now is, will your rule take care
> of both passive and active ftp ?  I would prefer to just use active .. but
> I know many clients would have their own issues .. grr .. stupid ftp ....

ip_conntrack_ftp does handle both passive and active ftp.

Obviously if you're not doing DNAT then you don't need the ip_nat_ftp module 
either.

Regards,

Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ftp

[Peter Marshall]

hmm .. i suppose that is right as well ....

Any thoughts on my last question ?

Thanks again,
Peter

----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, May 27, 2004 3:06 PM
Subject: Re: ftp


On Thursday 27 May 2004 6:59 pm, Peter Marshall wrote:

> I actually don't need the dnat as I have internet routable ip's in my dmz
> .... Thank you for the info.  My question now is, will your rule take care
> of both passive and active ftp ?  I would prefer to just use active .. but
> I know many clients would have their own issues .. grr .. stupid ftp ....

ip_conntrack_ftp does handle both passive and active ftp.

Obviously if you're not doing DNAT then you don't need the ip_nat_ftp module
either.

Regards,

Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: ftp

[Antony Stone]

On Thursday 27 May 2004 7:46 pm, Peter Marshall wrote:

> hmm .. i suppose that is right as well ....
>
> Any thoughts on my last question ?

Sorry, what is your last question?   I can't see anything in your previous 
postings which remains unanswered....

Regards,

Antony.

-- 
Bill Gates has personally assured the Spanish Academy that he will never allow 
the upside-down question mark to disappear from Microsoft word-processing 
programs, which must be reassuring for millions of Spanish-speaking people, 
though just a piddling afterthought as far as he's concerned.

 - Lynne Truss, "Eats, Shoots and Leaves"

                                                     Please reply to the list;
                                                           please don't CC me.

RE: ftp

[Rob Sterenborg]

> > > .... Thank you for the info.  My question now is, will your rule
> > > take care of both passive and active ftp ?  I would prefer to just
> > > use active .. But

> > ip_conntrack_ftp does handle both passive and active ftp.

> Any thoughts on my last question ?

As far as I see, Antony answered your last question : both passive and
active ftp are handled.
Or am I missing something ?


Gr,
Rob

Re: ftp

[Peter Marshall]

I guess my question was is it advisable to only allow active ftp .... ?  Or
is that just not a reasonable idea ?  Or does the Related option make
passive "safe" (ie, don't have to open a load of ports).

I already had to open just about everything outgoing from my proxy server
anyway, so I guess it is not a big deal ... *unless you have a better
suggestion for that as well.

Thank you for all of your help.

Peter


----- Original Message ----- 
From: "Rob Sterenborg" <rob@sterenborg.info>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, May 27, 2004 4:34 PM
Subject: RE: ftp


> > > .... Thank you for the info.  My question now is, will your rule
> > > take care of both passive and active ftp ?  I would prefer to just
> > > use active .. But

> > ip_conntrack_ftp does handle both passive and active ftp.

> Any thoughts on my last question ?

As far as I see, Antony answered your last question : both passive and
active ftp are handled.
Or am I missing something ?


Gr,
Rob

Re: ftp

[Rob Sterenborg]

> I guess my question was is it advisable to only allow active ftp ....
?  Or
> is that just not a reasonable idea ?  Or does the Related option make
> passive "safe" (ie, don't have to open a load of ports).

Netfilter is stateful, it will open the ports as needed.


Gr,
Rob

Re: ftp

[Antony Stone]

On Friday 28 May 2004 12:50 pm, Peter Marshall wrote:

> I guess my question was is it advisable to only allow active ftp .... ?  Or
> is that just not a reasonable idea ?  Or does the Related option make
> passive "safe" (ie, don't have to open a load of ports).

I'd say passive is just as secure as active, and vice versa.

> I already had to open just about everything outgoing from my proxy server
> anyway, so I guess it is not a big deal ... *unless you have a better
> suggestion for that as well.

There's a big difference between opening up *outbound* ports from a proxy 
server (where you can use the proxy server to decide what's safe and what 
isn't), and allowing lots of traffic *through* your firewall.

Whether the proxy is running on the same machine as netfilter or not, you're 
either placing rules in the OUTPUT chain (if it is), or you're specifying the 
source IP with -s (if it isn't).   Either way, you're not allowing any 
greater access to any system other than the proxy, and of course you trust 
that, or you wouldn't be using it :)

Regards,

Antony.

-- 
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ftp

[azeem ahmad]

>From: Antony Stone <Antony@Soft-Solutions.co.uk>
>Reply-To: netfilter@lists.netfilter.org
>To: netfilter@lists.netfilter.org
>Subject: Re: ftp
>Date: Thu, 20 May 2004 21:31:06 +0100
>
>On Thursday 20 May 2004 9:10 pm, azeem ahmad wrote:
>
> > no single server of ftp is accessible. wheather any server is near to me 
>or
> > far away if it is ftp then it isnt accessible from my network.
>
>Okay - now that I clearly understand the problem, please post the output 
>of:
>
>iptables -L -nvx; iptables -L -t nat -nvx
>
> > and may i have ur collection of quotes
>
>Sure - they are all available from
>http://lists.netfilter.org/pipermail/netfilter or
>http://lists.netfilter.org/pipermail/netfilter.mbox/netfilter.mbox (which 
>is
>quite a large file, but they're all in there somewhere).
>
>Regards,
>
>Antony.
>
>--
>In Heaven, the police are British, the chefs are Italian, the beer is 
>Belgian,
>the mechanics are German, the lovers are French, the entertainment is
>American, and everything is organised by the Swiss.
>
>In Hell, the police are German, the chefs are British, the beer is 
>American,
>the mechanics are French, the lovers are Swiss, the entertainment is 
>Belgian,
>and everything is organised by the Italians.
>

it is a very simple firewall with only one rule as
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
any ways the outout of the two commands is as follow

iptables -L -nvx
--------------------------------------------------------------------------------------------------------------------------------------
Chain INPUT (policy ACCEPT 64966 packets, 22320338 bytes)
    pkts      bytes target     prot opt in     out     source               
destination

Chain FORWARD (policy ACCEPT 48691 packets, 11603504 bytes)
    pkts      bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 154653 packets, 66215691 bytes)
    pkts      bytes target     prot opt in     out     source
-----------------------------------------------------------------------------------------------------------------------------------------

iptables -L -t nat -nvx
-----------------------------------------------------------------------------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 9221 packets, 586315 bytes)
    pkts      bytes target     prot opt in     out     source               
destination

Chain POSTROUTING (policy ACCEPT 2693 packets, 178591 bytes)
    pkts      bytes target     prot opt in     out     source               
destination
       0        0 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6008 packets, 382374 bytes)
    pkts      bytes target     prot opt in     out     source               
destination
-----------------------------------------------------------------------------------------------------------------------------------------

i m showing you the different firewall rules in different questions beacuse 
i m a student and i m working on firewall these days. but wheni try to 
access ftp then only this single rule works nothing else has been added.

Regards
Azeem

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

Re: ftp

[Antony Stone]

On Friday 21 May 2004 3:49 am, azeem ahmad wrote:

> it is a very simple firewall with only one rule as
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> any ways the outout of the two commands is as follow
>
> iptables -L -nvx
> Chain INPUT
> (policy ACCEPT 64966 packets, 22320338 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>
> Chain FORWARD (policy ACCEPT 48691 packets, 11603504 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 154653 packets, 66215691 bytes)
>     pkts      bytes target     prot opt in     out     source
>
> iptables -L -t nat -nvx
> Chain
> PREROUTING (policy ACCEPT 9221 packets, 586315 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>
> Chain POSTROUTING (policy ACCEPT 2693 packets, 178591 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>        0        0 MASQUERADE  all  --  *      ppp0    0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 6008 packets, 382374 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>
> i m showing you the different firewall rules in different questions beacuse
> i m a student and i m working on firewall these days. but wheni try to
> access ftp then only this single rule works nothing else has been added.

Have you loaded, or compiled in, the ftp nat and ftp connection tracking 
modules?

You probably don't need the conntrack module since with the above ruleset 
you're not doing connection tracking, hiowever if you're natting ftp then you 
need the ftp nat helper loaded (or compiled into your kernel).

Regards,

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ftp

[azeem ahmad]

>From: Antony Stone <Antony@Soft-Solutions.co.uk>
>Reply-To: netfilter@lists.netfilter.org
>To: netfilter@lists.netfilter.org
>Subject: Re: ftp
>Date: Thu, 20 May 2004 16:43:33 +0100
>
>On Thursday 20 May 2004 4:18 pm, azeem ahmad wrote:
>
> > From: Antony Stone <Antony@Soft-Solutions.co.uk>
> >
> > > Do you get the same error message from the server if you access it 
>from
> > > some machine which does not go through the firewall (and is not the
> > > firewall itself)?   Even if you have to temporarily set up a client to
> > > test this, I think it would be useful, because it would be good to 
>know if
> > > the server generates this error independently of anything the firewall 
>is
> > > doing to the packets.
>
> > the server is accesible from other machines. for an example i goto squid
> > mirror sites
> > http://www.squid-cache.org/Mirrors/ftp-mirrors.html
> > but even no server here can be accessed. here is a long list of ftp 
>mirror
> > servers. and also i set the rule up as u said. but still no luck
>
>I am confused :(
>
>Are we talking about one ftp server which you are getting the previously-
>quoted error message from (and about which I have asked whether the same
>error message gets generated when you access that particular server without
>going through your firewall rules), or are you saying that you cannot 
>access
>any ftp server through the rules on your firewall?
>
> > and i wanna ask something that is not relevant to list is that u quote 
>very
> > good quotations.
>
>Thank you :)
>
> > can u tell me from where i can get quotes like this
>
>Steal them from my postings :) ?
>
> > and also quotes that are relevant to computer science. infact i m a 
>student
> > and some time i need such material.
>
>Google?
>
>The quotes on my emails have been built up over some time, from a mixture 
>of
>articles I've read online, books and magazines I've read in print, a couple
>I've thought up myself, and a couple I've stolen from other people's 
>emails.
>
>I wrote a simple bash script which pseudo-randomly selects which one to add 
>to
>each email I send, which is why you see different ones at different times.
>
>Regards,
>
>Antony.
>
>--
>If builders made buildings the way programmers write programs, then the 
>first
>woodpecker to come along would destroy civilisation.
>

no single server of ftp is accessible. wheather any server is near to me or 
far away if it is ftp then it isnt accessible from my network.
and may i have ur collection of quotes

Regards
Azeem

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail

Re: ftp

[Antony Stone]

On Thursday 20 May 2004 9:10 pm, azeem ahmad wrote:

> no single server of ftp is accessible. wheather any server is near to me or
> far away if it is ftp then it isnt accessible from my network.

Okay - now that I clearly understand the problem, please post the output of:

iptables -L -nvx; iptables -L -t nat -nvx

> and may i have ur collection of quotes

Sure - they are all available from 
http://lists.netfilter.org/pipermail/netfilter or 
http://lists.netfilter.org/pipermail/netfilter.mbox/netfilter.mbox (which is 
quite a large file, but they're all in there somewhere).

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ftp

[azeem ahmad]

>From: Antony Stone <Antony@Soft-Solutions.co.uk>
>Reply-To: netfilter@lists.netfilter.org
>To: netfilter@lists.netfilter.org
>Subject: Re: ftp
>Date: Thu, 20 May 2004 10:19:31 +0100
>
>On Thursday 20 May 2004 5:41 am, azeem ahmad wrote:
>
> > From: Antony Stone <Antony@Soft-Solutions.co.uk>
> >
> > >On Wednesday 19 May 2004 10:05 pm, azeem ahmad wrote:
> > > > hi all
> > > > i m unable to browse ftp. it says
> > > > an error occured opening that folder on the ftp server. make sure 
>you
> > > > have permissions to access that folder
> > > > details
> > > > 200 type set to A
> > > > 500 Illegal port command
> > > > 500 LPRT not understood
> > >
> > > Do you get the same error when accessing the server from a machine not 
>via
> > > the netfilter firewall (eg localhost, or some other client on the same
> > > subnet)?
> > >
> > only one box is accessing ftp that is firewall box itself. no other box
> > behind the firewall can access the ftp outside.
>
>Okay - let me rephrase the question.
>
>Do you get the same error message from the server if you access it from 
>some
>machine which does not go through the firewall (and is not the firewall
>itself)?   Even if you have to temporarily set up a client to test this, I
>think it would be useful, because it would be good to know if the server
>generates this error independently of anything the firewall is doing to the
>packets.
>
>Also, have you tried adjusting the MASQUERADE rule as I suggested, so it
>applies to the external interface only, as this may have a bearing on the
>problem?
>
>Regards,
>
>Antony.
>
>--
>Success is a lousy teacher.  It seduces smart people into thinking they 
>can't
>lose.
>
>  - William H Gates III
>

the server is accesible from other machines. for an example i goto squid 
mirror sites
http://www.squid-cache.org/Mirrors/ftp-mirrors.html
but even no server here can be accessed. here is a long list of ftp mirror 
servers. and also i set the rule up as u said. but still no luck

and i wanna ask something that is not relevant to list is that u quote very 
good quotations. can u tell me from where i can get quotes like this and 
also quotes that are relevant to computer science. infact i m a student and 
some time i need such material. sorry for this irrelevant question

Regards
Azeem

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Re: ftp

[Antony Stone]

On Thursday 20 May 2004 4:18 pm, azeem ahmad wrote:

> From: Antony Stone <Antony@Soft-Solutions.co.uk>
>
> > Do you get the same error message from the server if you access it from
> > some machine which does not go through the firewall (and is not the
> > firewall itself)?   Even if you have to temporarily set up a client to
> > test this, I think it would be useful, because it would be good to know if
> > the server generates this error independently of anything the firewall is
> > doing to the packets.

> the server is accesible from other machines. for an example i goto squid
> mirror sites
> http://www.squid-cache.org/Mirrors/ftp-mirrors.html
> but even no server here can be accessed. here is a long list of ftp mirror
> servers. and also i set the rule up as u said. but still no luck

I am confused :(

Are we talking about one ftp server which you are getting the previously- 
quoted error message from (and about which I have asked whether the same 
error message gets generated when you access that particular server without 
going through your firewall rules), or are you saying that you cannot access 
any ftp server through the rules on your firewall?

> and i wanna ask something that is not relevant to list is that u quote very
> good quotations.

Thank you :)

> can u tell me from where i can get quotes like this

Steal them from my postings :) ?

> and also quotes that are relevant to computer science. infact i m a student
> and some time i need such material.

Google?

The quotes on my emails have been built up over some time, from a mixture of 
articles I've read online, books and magazines I've read in print, a couple 
I've thought up myself, and a couple I've stolen from other people's emails.

I wrote a simple bash script which pseudo-randomly selects which one to add to 
each email I send, which is why you see different ones at different times.

Regards,

Antony.

-- 
If builders made buildings the way programmers write programs, then the first 
woodpecker to come along would destroy civilisation.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ftp

[azeem ahmad]

>From: Antony Stone <Antony@Soft-Solutions.co.uk>
>Reply-To: netfilter@lists.netfilter.org
>To: netfilter@lists.netfilter.org
>Subject: Re: ftp
>Date: Wed, 19 May 2004 22:17:02 +0100
>
>On Wednesday 19 May 2004 10:05 pm, azeem ahmad wrote:
>
> > hi all
> > i m unable to browse ftp. it says
> > an error occured opening that folder on the ftp server. make sure you 
>have
> > permissions to access that folder
> > details
> > 200 type set to A
> > 500 Illegal port command
> > 500 LPRT not understood
>
>Do you get the same error when accessing the server from a machine not via 
>the
>netfilter firewall (eg localhost, or some other client on the same subnet)?
>
>Regards,
>
>Antony.
>
>--
>RTFM may be the appropriate reply, but please specify exactly which FM to 
>R.
>
>                                                      Please reply to the 
>list;
>                                                            please don't CC 
>me.
>
only one box is accessing ftp that is firewall box itself. no other box 
behind the firewall can access the ftp outside.

Regards
Azeem

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail

Re: ftp

[Antony Stone]

On Thursday 20 May 2004 5:41 am, azeem ahmad wrote:

> From: Antony Stone <Antony@Soft-Solutions.co.uk>
>
> >On Wednesday 19 May 2004 10:05 pm, azeem ahmad wrote:
> > > hi all
> > > i m unable to browse ftp. it says
> > > an error occured opening that folder on the ftp server. make sure you
> > > have permissions to access that folder
> > > details
> > > 200 type set to A
> > > 500 Illegal port command
> > > 500 LPRT not understood
> >
> > Do you get the same error when accessing the server from a machine not via
> > the netfilter firewall (eg localhost, or some other client on the same
> > subnet)?
> >
> only one box is accessing ftp that is firewall box itself. no other box
> behind the firewall can access the ftp outside.

Okay - let me rephrase the question.

Do you get the same error message from the server if you access it from some 
machine which does not go through the firewall (and is not the firewall 
itself)?   Even if you have to temporarily set up a client to test this, I 
think it would be useful, because it would be good to know if the server 
generates this error independently of anything the firewall is doing to the 
packets.

Also, have you tried adjusting the MASQUERADE rule as I suggested, so it 
applies to the external interface only, as this may have a bearing on the 
problem?

Regards,

Antony.

-- 
Success is a lousy teacher.  It seduces smart people into thinking they can't 
lose.

 - William H Gates III

                                                     Please reply to the list;
                                                           please don't CC me.

ftp

[azeem ahmad]

hi all
i m unable to browse ftp. it says
---------------------------------------------------------------------------------------------------------------------------------------
an error occured opening that folder on the ftp server. make sure you have 
permissions to access that folder
details
200 type set to A
500 Illegal port command
500 LPRT not understood
--------------------------------------------------------------------------------------------------------------------------------------

while i m running with this only one iptables rule

iptables -t nat -A POSTROUTING -j MASQUERADE

there is no other rule in my firewall in any table any chain. every other 
things are being masqueraded well

Regards
Azeem

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

Re: ftp

[Antony Stone]

On Wednesday 19 May 2004 10:05 pm, azeem ahmad wrote:

> hi all
> i m unable to browse ftp. it says
> an error occured opening that folder on the ftp server. make sure you have
> permissions to access that folder
> details
> 200 type set to A
> 500 Illegal port command
> 500 LPRT not understood

Do you get the same error when accessing the server from a machine not via the 
netfilter firewall (eg localhost, or some other client on the same subnet)?

Regards,

Antony.

-- 
RTFM may be the appropriate reply, but please specify exactly which FM to R.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ftp

[Antony Stone]

On Wednesday 19 May 2004 10:05 pm, azeem ahmad wrote:

> iptables -t nat -A POSTROUTING -j MASQUERADE

Sorry - I forgot this bit in my last posting...

It would be a good idea to restrict the above rule to only your external 
interface:

iptables -A POSTROUTING -t nat -o $extIF -j MASQUERADE

Regards,

Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ftp

[Andrew E. Mileski]

azeem ahmad wrote:
> hi all
> i m unable to browse ftp. it says
> --------------------------------------------------------------------------------------------------------------------------------------- 
> 
> an error occured opening that folder on the ftp server. make sure you 
> have permissions to access that folder
> details
> 200 type set to A
> 500 Illegal port command
> 500 LPRT not understood
> -------------------------------------------------------------------------------------------------------------------------------------- 

By any chance are you browsing with IE?

If so, go into Tools->Internet Options->Advanced
and check the box to enable: "Use Passive FTP (for firewall
and DSL modem compatibility)", then click OK.

If not, ignore me ;)

-- 
Andrew E. Mileski

ftp

[Gary Metcalf]

I set my INPUT tables to DROP all tcp entries. Before that line I put in 
some ports to ACCEPT such as port 80 for http. This works as I had a 
friend run nmap to my ip and it came back with all blocked except for 
port 80. He could also get my Web page via a browser. I Have one problem 
still. When I try to ftp out to a site, and I don't have any entries in 
OUTPUT, I can get loged in but if I enter any command such as 'ls' or 
'?' I get the message back that 200 PORT command successfull but I never 
see the list of files or commands. It's like my commands go out but any 
messages returned are blocked. I can't even execute a 'bye' command and 
get out. What port do I need opened up to use ftp from my computer to 
another.
  I tried ports 20, 21, 25,69 and 115 but they did no good. I found 
these in the /etc/services file.
Gary

ftp

[Gary Metcalf]

I set my INPUT tables to DROP all tcp entries. Before that line I put in 
some ports to ACCEPT such as port 80 for http. This works as I had a 
friend run nmap to my ip and it came back with all blocked except for 
port 80. He could also get my Web page via a browser. I Have one problem 
still. When I try to ftp out to a site I can get loged in but if I enter 
any command such as 'ls' or '?' I get the message back that 200 PORT 
command successfull but I never see the list of files or commands. I 
can't even execute a 'bye' command and get out. What port do I need 
opened up to use ftp from my computer to another.
   I tried ports 20, 21, 69 and 115 but they did no good. I found these 
in the /etc/services file.
Gary

Re: ftp

[Cedric Blancher]

Le mar 29/07/2003 à 20:12, Gary Metcalf a écrit :
> I set my INPUT tables to DROP all tcp entries. Before that line I put in 
> some ports to ACCEPT such as port 80 for http. This works as I had a 
> friend run nmap to my ip and it came back with all blocked except for 
> port 80. He could also get my Web page via a browser. I Have one problem 
> still. When I try to ftp out to a site I can get loged in but if I enter 
> any command such as 'ls' or '?' I get the message back that 200 PORT 
> command successfull but I never see the list of files or commands. I 
> can't even execute a 'bye' command and get out. What port do I need 
> opened up to use ftp from my computer to another.
>    I tried ports 20, 21, 69 and 115 but they did no good. I found these 
> in the /etc/services file.

This a VFAQ...

	modprobe ip_conntrack_ftp.

Then use state matching aginst ESTABLISHED and RELATED packets to let
them get in.

	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

(quick and dirty, but it works ;)).

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

FTP

[Patrick Ahler]

Can't get my BulletProof FTP server to work through the firewall. I opened
ports 20,21 and 5100-5200 (configured for passive ftp), still doesn't work.
I can log onto the server but it won't display the directory unless I take
the firewall down. Any suggestions?

Re: FTP

[Alistair Tonner]

	Do you have ip_nat_ftp and ip_conntrack_ftp 
	loaded as modules or built into the kernel?

Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

On March 7, 2003 11:35 am, Patrick Ahler wrote:
> Can't get my BulletProof FTP server to work through the firewall. I opened
> ports 20,21 and 5100-5200 (configured for passive ftp), still doesn't work.
> I can log onto the server but it won't display the directory unless I take
> the firewall down. Any suggestions?

-- 

	

RE: FTP

[Patrick Ahler]

I figured out what the problem was with my FTP server... it needed a port
range of 2095-2300 open for some reason. I figured this out by narrowing
down the ports that it would work on. What a pain! oh well

-----Original Message-----
From: Alistair Tonner [mailto:Alistair@nerdnet.ca]
Sent: Friday, March 07, 2003 1:28 PM
To: Patrick Ahler; netfilter EMAIL
Subject: Re: FTP



	Do you have ip_nat_ftp and ip_conntrack_ftp
	loaded as modules or built into the kernel?

Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS

     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

On March 7, 2003 11:35 am, Patrick Ahler wrote:
> Can't get my BulletProof FTP server to work through the firewall. I opened
> ports 20,21 and 5100-5200 (configured for passive ftp), still doesn't
work.
> I can log onto the server but it won't display the directory unless I take
> the firewall down. Any suggestions?

--

RE: FTP

[Maciej Soltysiak]

> I figured out what the problem was with my FTP server... it needed a port
> range of 2095-2300 open for some reason.
Well, are you using the ip_conntrack_ftp module?
It should let you use the -m state --state RELATED, ESTABLISHED with ftp.

Unless you are doing NAT.

Regards,
Maciej

ftp

[Azie Jamilah]

Hi,

I just wanna know if I can download or upload a whole directory using 
ftp. I know I can do it using some of Windows software like WSFTP and 
CuteFTP, and so far I can only transfer files within the same directory 
only using put/mput or get/mget. Most of the time I would like to 
transfer the whole thing including subdirectories if available. Any 
help would be greatly appreciated. Thanks.

-- Aziah --
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: ftp

[Karthik Vishwanath]

try gftp, has a gui and options for sub-directory tranfers. Alternatively,
ncftp is another great non-gui ftp client. 

-K

On Mon, 27 May 2002, Azie Jamilah wrote:

> Hi,
> 
> I just wanna know if I can download or upload a whole directory using 
> ftp. I know I can do it using some of Windows software like WSFTP and 
> CuteFTP, and so far I can only transfer files within the same directory 
> only using put/mput or get/mget. Most of the time I would like to 
> transfer the whole thing including subdirectories if available. Any 
> help would be greatly appreciated. Thanks.
> 
> -- Aziah --
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
> 

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: ftp

[G Anna]

> Date: Mon, 27 May 2002 21:57:51 -0400
> From: Karthik Vishwanath <karthik@northstar.dartmouth.edu>
> Subj: Re: ftp
> 
> try gftp, has a gui and options for sub-directory
> tranfers. Alternatively, ncftp is another great non-gui ftp client.

wget

Cheers,
anna

-- 

(16) I  will  never  utter the sentence "But before I kill you, there's
     just one thing I want to know." - Peter Anspach in "The Top 100 
     Things I'd Do If I Ever Became An Evil Overlord"

                                            http://www.eviloverlord.com

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs