* ftp access problem
@ 2004-07-24 10:05 Askar Ali Khan
2004-07-24 10:22 ` Antony Stone
0 siblings, 1 reply; 7+ messages in thread
From: Askar Ali Khan @ 2004-07-24 10:05 UTC (permalink / raw)
To: netfilter
Hi
On my router/firewall which acting i am getting problem while anyone
tries to connect to ftp server he connected successfully however when
he types and command for example "ls" ftp server return error "500
Illegal PORT range rejected"
Everything else is working fine.
default policies are drop
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP
.
.
.
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -d 0/0 -j
MASQUERADE#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
For FTP access..
iptables -A FORWARD -o ppp0 -p tcp -m multiport --dport 20,21 -m state
--state NEW -j ACCEPT
I understand that FTP server will also in return open a port on my
side and this is what causing problem. However I don't know which
chain and what rule to make for this to solve this problem. :)
I any quick help in this regard will be greatly appreciated :D
Regards
Askar
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ftp access problem
2004-07-24 10:05 ftp access problem Askar Ali Khan
@ 2004-07-24 10:22 ` Antony Stone
2004-07-24 11:45 ` Askar Ali Khan
0 siblings, 1 reply; 7+ messages in thread
From: Antony Stone @ 2004-07-24 10:22 UTC (permalink / raw)
To: netfilter
On Saturday 24 July 2004 11:05 am, Askar Ali Khan wrote:
> Hi
>
> On my router/firewall which acting i am getting problem while anyone
> tries to connect to ftp server he connected successfully however when
> he types and command for example "ls" ftp server return error "500
> Illegal PORT range rejected"
> Everything else is working fine.
I see you are doing NAT on this firewall. Do you have the nat_ftp support
module loaded or compiled in to your kernel?
Without that module, netfilter will not see the PORT commands in the FTP
packets, and will not know what to do with the data connection on port 20
associated with the control connection onn port 21.
Regards,
Antony.
--
"The joy of X!!?? I've always hated compiling graphical shite. You have a 10
line program, and it ends up depending on the entire known universe."
- Philip Hands
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ftp access problem
2004-07-24 10:22 ` Antony Stone
@ 2004-07-24 11:45 ` Askar Ali Khan
2004-07-24 12:01 ` Martijn Lievaart
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Askar Ali Khan @ 2004-07-24 11:45 UTC (permalink / raw)
To: netfilter
Hi Anthony,
On Sat, 24 Jul 2004 11:22:16 +0100, Antony Stone
<antony@soft-solutions.co.uk> wrote:
> On Saturday 24 July 2004 11:05 am, Askar Ali Khan wrote:
>
> > Hi
> >
> > On my router/firewall which acting i am getting problem while anyone
> > tries to connect to ftp server he connected successfully however when
> > he types and command for example "ls" ftp server return error "500
> > Illegal PORT range rejected"
> > Everything else is working fine.
>
> I see you are doing NAT on this firewall. Do you have the nat_ftp support
> module loaded or compiled in to your kernel?
>
> Without that module, netfilter will not see the PORT commands in the FTP
> packets, and will not know what to do with the data connection on port 20
> associated with the control connection onn port 21.
#modprobe nat_ftp
modprobe: Can't locate module nat_ftp
I modprobe for nat_ftp on my route/firewall "slackware 2.4.26" and
also on another machine FC1 and both return the same thing.
what to do now?
May I have to go for kernel compilation? :(
Also pls check these echos and I will greatly appreciate if you
explain the usage of this echos becuase i copied it from somewhere
else :D
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> Regards,
>
> Antony.
>
> --
> "The joy of X!!?? I've always hated compiling graphical shite. You have a 10
> line program, and it ends up depending on the entire known universe."
>
> - Philip Hands
>
> Please reply to the list;
> please don't CC me.
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ftp access problem
2004-07-24 11:45 ` Askar Ali Khan
@ 2004-07-24 12:01 ` Martijn Lievaart
2004-07-24 13:00 ` ro0ot
2004-07-24 13:13 ` Antony Stone
2 siblings, 0 replies; 7+ messages in thread
From: Martijn Lievaart @ 2004-07-24 12:01 UTC (permalink / raw)
To: Askar Ali Khan; +Cc: netfilter
Askar Ali Khan wrote:
>Hi Anthony,
>
>On Sat, 24 Jul 2004 11:22:16 +0100, Antony Stone
><antony@soft-solutions.co.uk> wrote:
>
>
>>On Saturday 24 July 2004 11:05 am, Askar Ali Khan wrote:
>>
>>
>>
>>>Hi
>>>
>>>On my router/firewall which acting i am getting problem while anyone
>>>tries to connect to ftp server he connected successfully however when
>>>he types and command for example "ls" ftp server return error "500
>>>Illegal PORT range rejected"
>>>Everything else is working fine.
>>>
>>>
>>I see you are doing NAT on this firewall. Do you have the nat_ftp support
>>module loaded or compiled in to your kernel?
>>
>>Without that module, netfilter will not see the PORT commands in the FTP
>>packets, and will not know what to do with the data connection on port 20
>>associated with the control connection onn port 21.
>>
>>
>#modprobe nat_ftp
> modprobe: Can't locate module nat_ftp
>
>
Try ip_nat_ftp instead. Also, don't bother with port 20. Use a RELATED
rule to let in the data connections. All this is documented in lots of
howto's, www.netfilter.org is a good place to start.
HTH,
M4
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ftp access problem
2004-07-24 11:45 ` Askar Ali Khan
2004-07-24 12:01 ` Martijn Lievaart
@ 2004-07-24 13:00 ` ro0ot
2004-07-24 13:13 ` Antony Stone
2 siblings, 0 replies; 7+ messages in thread
From: ro0ot @ 2004-07-24 13:00 UTC (permalink / raw)
To: netfilter
You should load the following modules below: -
ip_conntrack_ftp
ip_nat_ftp
Regards,
ro0ot
Askar Ali Khan wrote:
>Hi Anthony,
>
>On Sat, 24 Jul 2004 11:22:16 +0100, Antony Stone
><antony@soft-solutions.co.uk> wrote:
>
>
>>On Saturday 24 July 2004 11:05 am, Askar Ali Khan wrote:
>>
>>
>>
>>>Hi
>>>
>>>On my router/firewall which acting i am getting problem while anyone
>>>tries to connect to ftp server he connected successfully however when
>>>he types and command for example "ls" ftp server return error "500
>>>Illegal PORT range rejected"
>>>Everything else is working fine.
>>>
>>>
>>I see you are doing NAT on this firewall. Do you have the nat_ftp support
>>module loaded or compiled in to your kernel?
>>
>>Without that module, netfilter will not see the PORT commands in the FTP
>>packets, and will not know what to do with the data connection on port 20
>>associated with the control connection onn port 21.
>>
>>
>#modprobe nat_ftp
> modprobe: Can't locate module nat_ftp
>
>I modprobe for nat_ftp on my route/firewall "slackware 2.4.26" and
>also on another machine FC1 and both return the same thing.
>what to do now?
>May I have to go for kernel compilation? :(
>
>Also pls check these echos and I will greatly appreciate if you
>explain the usage of this echos becuase i copied it from somewhere
>else :D
>
>echo 1 > /proc/sys/net/ipv4/ip_dynaddr
>echo 1 > /proc/sys/net/ipv4/ip_forward
>echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
>echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
>
>
>
>>Regards,
>>
>>Antony.
>>
>>--
>>"The joy of X!!?? I've always hated compiling graphical shite. You have a 10
>>line program, and it ends up depending on the entire known universe."
>>
>>- Philip Hands
>>
>> Please reply to the list;
>> please don't CC me.
>>
>>
>>
>>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ftp access problem
2004-07-24 11:45 ` Askar Ali Khan
2004-07-24 12:01 ` Martijn Lievaart
2004-07-24 13:00 ` ro0ot
@ 2004-07-24 13:13 ` Antony Stone
2004-07-24 13:28 ` Jeffrey Laramie
2 siblings, 1 reply; 7+ messages in thread
From: Antony Stone @ 2004-07-24 13:13 UTC (permalink / raw)
To: netfilter
On Saturday 24 July 2004 12:45 pm, Askar Ali Khan wrote:
> Hi Antony,
>
> On Sat, 24 Jul 2004 11:22:16 +0100, Antony Stone wrote:
> >
> > I see you are doing NAT on this firewall. Do you have the nat_ftp
> > support module loaded or compiled in to your kernel?
>
> #modprobe nat_ftp
> modprobe: Can't locate module nat_ftp
Okay, that may not be the exact name of it - I don't use modules, so perhaps
someone else here can tell you the definitive name for the module?
Try lsmod to see what you already do have loaded - if youo find something
which looks like NAT and FTP, then you've got it already.
> I modprobe for nat_ftp on my route/firewall "slackware 2.4.26" and
> also on another machine FC1 and both return the same thing.
> what to do now?
> May I have to go for kernel compilation? :(
I always build a monolithic (non-modular) kernel for firewalls; the option for
the FTP tracking which you need are "CONFIG_IP_NF_FTP" and
"CONFIG_IP_NF_NAT_FTP".
> Also pls check these echos and I will greatly appreciate if you
> explain the usage of this echos becuase i copied it from somewhere
> else :D
>
> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
Try:
http://www.linuxsecurity.com/articles/network_security_article-4528.html
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.obscure.html
and on your own machine:
/usr/src/linux/Documentation/networking/ip-sysctl.txt
Regards,
Antony.
--
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.
- William Gibson, Neuromancer (1984)
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ftp access problem
2004-07-24 13:13 ` Antony Stone
@ 2004-07-24 13:28 ` Jeffrey Laramie
0 siblings, 0 replies; 7+ messages in thread
From: Jeffrey Laramie @ 2004-07-24 13:28 UTC (permalink / raw)
To: netfilter
On Saturday 24 July 2004 09:13, Antony Stone wrote:
> On Saturday 24 July 2004 12:45 pm, Askar Ali Khan wrote:
> > Hi Antony,
> >
> > On Sat, 24 Jul 2004 11:22:16 +0100, Antony Stone wrote:
> > > I see you are doing NAT on this firewall. Do you have the nat_ftp
> > > support module loaded or compiled in to your kernel?
> >
> > #modprobe nat_ftp
> > modprobe: Can't locate module nat_ftp
>
> Okay, that may not be the exact name of it - I don't use modules, so
> perhaps someone else here can tell you the definitive name for the module?
Try using:
ip_tables
iptable_nat
ip_nat_ftp
Jeff
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-07-24 13:28 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-24 10:05 ftp access problem Askar Ali Khan
2004-07-24 10:22 ` Antony Stone
2004-07-24 11:45 ` Askar Ali Khan
2004-07-24 12:01 ` Martijn Lievaart
2004-07-24 13:00 ` ro0ot
2004-07-24 13:13 ` Antony Stone
2004-07-24 13:28 ` Jeffrey Laramie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox