Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ipchains * static nat * FTP

From: Wes Chalfant <wes () peabody com>
Date: Thu, 14 Jun 2001 21:05:57 -0700
"Keith.Morgan" wrote:


I have a customer running an ipchains based firewall.  Using ipmasqadm
portfw we're doing static NAT to a webserver behind the firewall with
private address space.  I've been searching around the net for some time
trying to figure out how to open up FTP to a translated host behind the
firewall.  And before you ask, yes the ip_masq_ftp.o module is loaded on the
firewall, but this seems to only work for masqueraded hosts behind the fw
making ftp connections out to the internet.  Reversing the process (without
masq) doesn't seem to work.  The ftp server behind the firewall does *NOT*
support passive mode file transfer.

Is ipmasqadm portfw the wrong way to go with this?  Is ipmasqadm autofw the
way to go?  I could use references to good documentation on the use of both
portfw and autofw regardless of a solution to this problem.

Anyone have a pointer or reference?  Or just example command syntax that
would allow this?  Is is possible at all?


        You do not need ip_masq_fw for what you are trying to do (port
forwarding to a "active only" FTP server).

        The port forwarding module correctly allows the primary connection to
the FTP server through your firewall.  When the FTP server later tries
to send data (whether a file or a directory listing), it opens a
secondary connection from the server to the client.  It is probably
this secondary connection that is not getting through your firewall. 
If so, clients would be able to log in to the FTP server and copy
files *to* the FTP server, but wouldn't be able to get a directory
listing or copy files from the server.

        The standard IP masquerading feature of ipchains/Linux can be used to
allow the secondary data connections to go through.  You have to
configure the firewall to masquerade ftp data connections from the FTP
server.  Assuming that your FTP server opens data connections from the
ftp-data TCP port (20), you could allow masquerading on just that
connection with
   ipchains -A forward -p tcp -s <int-IP-addr> ftp-data -j MASQ
where <int-IP-addr> is the internal IP address of the FTP server.  If
the FTP server uses other source ports for opening data connections,
you would to use
   ipchains -A forward -p tcp -s <int-IP-addr> -j MASQ

        Note that for masquerading to work, you have to allow the receipt of
packets from remote servers to the the remapped TCP port range used by
masquerading.  For TCP, the masqueraded port range is 61000-65095.  At
a minimum, you'd have to allow established TCP connections on these
destination ports to enter the firewall so that the masquerading code
can then forward/rewrite them appropriately.  This can be done with
something like:
  ipchains -A input -p tcp -d <ext-IP-addr> 61000:65095 ! -y -j ACCEPT
where <ext-IP-addr> is the external IP address being used for the FTP
connections (often the firewall external IP address, but not always). 
Note that this is the most restrictive rule that will work; ipchains
firewalls are often set up to allow TCP traffic to all non protected
ports (1024 and above) rather than just the IP masquerade range.

        Although you said you didn't need it, it is possible to support
passive FTP on a port forwarded FTP server.  In that case, you *do*
need ip_masq_ftp.  You have to tell ip_masq_ftp which ports will be
used for incoming FTP connections so that the ip_masq_ftp code can
recognize and handle PASV commands.  For example, if you set up port
forwarding to your FTP server with
  ipmasqadm portfw -a -P tcp -L <ext-IP-addr> <portnum> -R
<int-IP-addr> ftp
you'd need to tell ip_masq_ftp to monitor <portnum>.  You do this with
the the "in_ports" parameter to ip_masq_ftp  If you're using modprobe
to load ip_masq_ftp, the easiest way to do this is to add the line
  options ip_masq_ftp in_ports=<portnum>
to /etc/modules.conf.  Note that this is necessary even if you're
using the standard FTP port number (21).  Finally, you have to allow
external systems to establish TCP connections to the masqueraded
passive data ports; instead of the ipchains input rule above, you'd
use
  ipchains -A input -p tcp -d <ext-IP-addr> 61000:65095 -j ACCEPT

-- 
Wes Chalfant              Peabody Systems             wes () peabody com
                          (714) 639-8643              FAX (714)
639-2817
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: