ftp behind the firewall

ftp behind the firewall

[Travis Crook]

Hi all,
	I would like to ask a question just for clarification.  I have a
firewall up and running just fine.  My problem is that I cannot ftp
through the firewall on a linux machine.  My windows machines don't seem
to have this problem.  Am I missing something?  Or is it a local linux
computer configuration issue.  I'll gladly provide any necessary
information.

Thanks!


-- 
Travis Crook
Visions Beyond
www.VisionsBeyond.com
(208) 478-7836

Re: ftp behind the firewall

[Michael Gale]

Hello,

	Well to start you should find out the difference between the 
connections. For example the standard "ftp" command in Linux will use 
ACTIVE mode by default, were in windows Internet Explorer (if that is 
what you are using) may be using PASSIVE mode.

Or if you are using LFTP in Linux, it usually uses PASSIVE mode by 
default, and the command line FTP client in Windows would most likely 
use ACTIVE mode by default.

You need to narrow down the problem, try issuing the command "passive" 
to the Linux "ftp" command and see if that solves the problem. If so, 
then your active mode connections are not working.



Michael.


Travis Crook wrote:
> Hi all,
> 	I would like to ask a question just for clarification.  I have a
> firewall up and running just fine.  My problem is that I cannot ftp
> through the firewall on a linux machine.  My windows machines don't seem
> to have this problem.  Am I missing something?  Or is it a local linux
> computer configuration issue.  I'll gladly provide any necessary
> information.
> 
> Thanks!
> 
> 

-- 
Michael Gale
Lan Administrator
Utilitran Corp.

Hey, let me file that under important .... > /dev/null
...
"Hey did you read my e-mail"
"Let my check"
^From:.* > /dev/null
"Nope, I missed it, send it again"

RE: ftp behind the firewall

[Travis Crook]

On Mon, 2005-02-14 at 09:25 -0800, Hudson Delbert J Contr 61 CS/SCBN
wrote:
> travis,
> 
> re-state your scenario. its incomplete.
> 
> how do you know its running fine?

Normal Web traffic, ftp users outside the firewall coming in, windows
boxes behind the firewall, etc. are all running and accessing
information as expected.
> 
> what distro and version of linux are you running?

Mandrake 8.1, kernel 2.4.8-26mdk
> 
> what doesn the config for ftp look like?

Rules for ftp:

# Network information you will need to adjust
INTERNALIF="eth1"
INTERNALNET="192.168.2.0/24"
INTERNALBCAST="192.168.2.255"
EXTERNALIF="eth0"
MYADDR="12.42.147.158"  # Only needed for DNAT, leave out otherwise

#Insert modules- should be done automatically if needed
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#Allow replies coming in
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Send ftp to an internal machine
$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport
20 -j DNAT --to 192.168.2.5:20
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 20 -j
ACCEPT

$IPTABLES -t nat -A PREROUTING -i $EXTERNALIF -p tcp -d $MYADDR --dport
21 -j DNAT --to-destination 192.168.2.5
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 21 -j
ACCEPT
$IPTABLES -A FORWARD -i $EXTERNALIF -o $INTERNALIF -p tcp --syn -d
192.168.2.5 --dport 21 -j ACCEPT
#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE

> 
> is the blocked by default.
> 
> when you say my windows machines dont seem ot have this problem..
> where do these windoze boxen sit?

All computers (linux and windows) are on an internal network connected
via a switch to the firewall.
> 
> anything anybody on this list offers up as a solution will not
> be thought out well and will basically be a guess. 
> 
> i'm a visual person - draw me pix of your networks and 
> sanitize the ip with rfc1918 addresses and bitmasks as it

Not quite sure I understand this...

> makes no difference as its all cidr.....
> 

Network picture

Internet --> firewall --> internal network (linux and windows)

firewall --> incoming ports: 80, 8080, 110, 25, 443, 143, 20, 21, all
get routed to internal servers.  The rest are dropped/denied.

internal network: should be completely masqueraded by the firewall
#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE


> guessing is a bad idea....
> 
Agreed.
> 
> need waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay more info.
> 

Anything else?  Will gladly provide it.

Thanks!

-- 
Travis Crook
Visions Beyond
www.VisionsBeyond.com
(208) 478-7836

> ~piranha
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Travis Crook
> Sent: Monday, February 14, 2005 9:08 AM
> To: netfilter@lists.netfilter.org
> Subject: ftp behind the firewall
> 
> 
> Hi all,
> 	I would like to ask a question just for clarification.  I have a
> firewall up and running just fine.  My problem is that I cannot ftp
> through the firewall on a linux machine.  My windows machines don't seem
> to have this problem.  Am I missing something?  Or is it a local linux
> computer configuration issue.  I'll gladly provide any necessary
> information.
> 
> Thanks!
> 
> 

RE: ftp behind the firewall

[Hudson Delbert J Contr 61 CS/SCBN]

is ftp daemon set to handle passive ?


-----Original Message-----
From: Travis Crook [mailto:travis@visionsbeyond.com]
Sent: Monday, February 14, 2005 2:54 PM
To: Hudson Delbert J Contr 61 CS/SCBN
Cc: netfilter@lists.netfilter.org
Subject: RE: ftp behind the firewall


On Mon, 2005-02-14 at 09:25 -0800, Hudson Delbert J Contr 61 CS/SCBN
wrote:
> travis,
> 
> re-state your scenario. its incomplete.
> 
> how do you know its running fine?

Normal Web traffic, ftp users outside the firewall coming in, windows
boxes behind the firewall, etc. are all running and accessing
information as expected.
> 
> what distro and version of linux are you running?

Mandrake 8.1, kernel 2.4.8-26mdk
> 
> what doesn the config for ftp look like?

Rules for ftp:

# Network information you will need to adjust
INTERNALIF="eth1"
INTERNALNET="192.168.2.0/24"
INTERNALBCAST="192.168.2.255"
EXTERNALIF="eth0"
MYADDR="12.42.147.158"  # Only needed for DNAT, leave out otherwise

#Insert modules- should be done automatically if needed
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#Allow replies coming in
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Send ftp to an internal machine
$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport
20 -j DNAT --to 192.168.2.5:20
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 20 -j
ACCEPT

$IPTABLES -t nat -A PREROUTING -i $EXTERNALIF -p tcp -d $MYADDR --dport
21 -j DNAT --to-destination 192.168.2.5
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 21 -j
ACCEPT
$IPTABLES -A FORWARD -i $EXTERNALIF -o $INTERNALIF -p tcp --syn -d
192.168.2.5 --dport 21 -j ACCEPT
#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE

> 
> is the blocked by default.
> 
> when you say my windows machines dont seem ot have this problem..
> where do these windoze boxen sit?

All computers (linux and windows) are on an internal network connected
via a switch to the firewall.
> 
> anything anybody on this list offers up as a solution will not
> be thought out well and will basically be a guess. 
> 
> i'm a visual person - draw me pix of your networks and 
> sanitize the ip with rfc1918 addresses and bitmasks as it

Not quite sure I understand this...

> makes no difference as its all cidr.....
> 

Network picture

Internet --> firewall --> internal network (linux and windows)

firewall --> incoming ports: 80, 8080, 110, 25, 443, 143, 20, 21, all
get routed to internal servers.  The rest are dropped/denied.

internal network: should be completely masqueraded by the firewall
#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE


> guessing is a bad idea....
> 
Agreed.
> 
> need waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay more info.
> 

Anything else?  Will gladly provide it.

Thanks!

-- 
Travis Crook
Visions Beyond
www.VisionsBeyond.com
(208) 478-7836

> ~piranha
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Travis Crook
> Sent: Monday, February 14, 2005 9:08 AM
> To: netfilter@lists.netfilter.org
> Subject: ftp behind the firewall
> 
> 
> Hi all,
> 	I would like to ask a question just for clarification.  I have a
> firewall up and running just fine.  My problem is that I cannot ftp
> through the firewall on a linux machine.  My windows machines don't seem
> to have this problem.  Am I missing something?  Or is it a local linux
> computer configuration issue.  I'll gladly provide any necessary
> information.
> 
> Thanks!
> 
> 

Re: ftp behind the firewall

[Alistair Tonner]

On February 14, 2005 05:54 pm, Travis Crook wrote:
> On Mon, 2005-02-14 at 09:25 -0800, Hudson Delbert J Contr 61 CS/SCBN
>
> wrote:
> > travis,
> >
> > re-state your scenario. its incomplete.
> >
> > how do you know its running fine?
>
> Normal Web traffic, ftp users outside the firewall coming in, windows
> boxes behind the firewall, etc. are all running and accessing
> information as expected.

	I believe the list will take this to mean that a windows box on the internal 
network can connect to a specific ftp server on the other side of the 
firewall and transfer data without issue, whereas a linux box on the internal 
network cannot connect to the same specific ftp server on the other side of 
the firewall.

	( Lets make the issue clear here -- if I've got the above wrong in any way 
please feel free to correct as nessesary)

	Im gonna drop the internal client to internal ftp server for a different 
question below.

>
> > what distro and version of linux are you running?
>
> Mandrake 8.1, kernel 2.4.8-26mdk
>
> > what doesn the config for ftp look like?
>
> Rules for ftp:
>
> # Network information you will need to adjust
> INTERNALIF="eth1"
> INTERNALNET="192.168.2.0/24"
> INTERNALBCAST="192.168.2.255"
> EXTERNALIF="eth0"
> MYADDR="12.42.147.158"  # Only needed for DNAT, leave out otherwise
>
> #Insert modules- should be done automatically if needed
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
>
> #Allow replies coming in
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> #Send ftp to an internal machine
> $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport
> 20 -j DNAT --to 192.168.2.5:20
> $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 20 -j
> ACCEPT
>
> $IPTABLES -t nat -A PREROUTING -i $EXTERNALIF -p tcp -d $MYADDR --dport
> 21 -j DNAT --to-destination 192.168.2.5
> $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 21 -j
> ACCEPT
> $IPTABLES -A FORWARD -i $EXTERNALIF -o $INTERNALIF -p tcp --syn -d
> 192.168.2.5 --dport 21 -j ACCEPT
> #Masquerade internal connections going out.
> $IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE
>
> > is the blocked by default.
> >
> > when you say my windows machines dont seem ot have this problem..
> > where do these windoze boxen sit?
>
> All computers (linux and windows) are on an internal network connected
> via a switch to the firewall.

	I see something coming here....  but I'll wait for further detail....

	The above rules are setup to forward external ftp connections to an internal 
network based ftp server.  They will *NOT* suffice to handle connections from 
internal clients to the external ip address of the firewall with intent to 
get to the internal ftp server.   You have no rules here that indicate that 
the clients can get out at all .... 

	Please PLEASE tell me that the firewall does NOT have both internal and 
external nics plugged into the same switch.

>
> > anything anybody on this list offers up as a solution will not
> > be thought out well and will basically be a guess.
> >
> > i'm a visual person - draw me pix of your networks and
> > sanitize the ip with rfc1918 addresses and bitmasks as it
>
> Not quite sure I understand this...
>
> > makes no difference as its all cidr.....
>
> Network picture
>
> Internet --> firewall --> internal network (linux and windows)
>
> firewall --> incoming ports: 80, 8080, 110, 25, 443, 143, 20, 21, all
> get routed to internal servers.  The rest are dropped/denied.
>
> internal network: should be completely masqueraded by the firewall
> #Masquerade internal connections going out.
> $IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE
>
> > guessing is a bad idea....
>
> Agreed.
>
> > need waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay more info.
>
> Anything else?  Will gladly provide it.
>
> Thanks!