MASQUERADE problems with non standard FTP ports
Oskar Andreasson
blueflux@koffein.net
Mon, 20 Aug 2001 13:21:44 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You need to tell us what port the FTP server runs on.
You allow incoming ESTABLISHED and RELATED packets on ports 21 and 20, as
well as outgoing. You also allow non privileged ports in and out if they are
ESTABLISHED or RELATED.
However, you insmod the ip_nat_ftp and ip_conntrack_ftp modules with ports
654 and 8654. In other words, if you're trying to connect to an external ftp
server on port 21 the conntracking helpers won't have any effect on your DATA
ports(port 20). I think this is the case at least(default port for the
conntrack module is port 21, but if you specify the ports parameter it erases
the default port).
Hope this helps somewhat,
- --
Oskar Andreasson
Multisoft Education AB
Cell: +46-736-524228
On Saturday 18 August 2001 08:13 pm, iptables@barak.net.il wrote:
> $IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j
> MASQUERADE $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
> --log-level DEBUG --log-prefix "IPT FORWARD packet died: " $IPTABLES -P
> INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
> $IPTABLES -N icmp_packets
> $IPTABLES -N tcp_packets
> $IPTABLES -N udpincoming_packets
> $IPTABLES -N allowed
> $IPTABLES -A allowed -p TCP --syn -j ACCEPT
> $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A allowed -p TCP -j DROP
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 199.103.11.12 --dport 1024:65535 -j
> allowed $IPTABLES -A tcp_packets -p TCP -s 199.103.11.12 --dport 21 -j
> allowed $IPTABLES -A tcp_packets -p TCP -s 199.103.11.12 --dport 22 -j
> allowed $IPTABLES -A udpincoming_packets -p UDP -s 199.103.11.12
> --source-port 53 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> 192.168.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j
> icmp_packets
> $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
> $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state
> ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m limit --limit 3/minute
> --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet
> died: " $IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED
> -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 20 -m state --state
> ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 1024:65535
> --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES
> -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
> $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
> --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " $IPTABLES -A
> OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j
> ACCEPT $IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
> state --state ESTABLISHED,RELATED -j ACCEPT
>
> > From: Brad Chapman <kakadu_croc@yahoo.com>
> > Date: 2001/08/18 Sat PM 03:02:58 GMT+03:00
> > To: iptables@barak.net.il
> > CC: netfilter@lists.samba.org
> > Subject: Re: Re: MASQUERADE problems with non standard FTP ports
> >
> > --- iptables@barak.net.il wrote:
> > > Thanks for your reply,
> > >
> > > I check my rc.firewall
> > > and I already got a line
> > > IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > >
> > > I added those lines too
> > > /sbin/insmod ip_nat_ftp ports=654,8654
> > > /sbin/modprobe ip_conntrack_ftp ports=654,8654
> > >
> > > Now I can connected the FTP servers, but it freeze both
> > > PASSIVE and ACTIVE modes.
> > >
> > > PASV - gives "ERROR [DATA]: Connection timed out"
> > > ACTV - freeze after the LIST command right after the PORT command.
> > >
> > > What should i do now ?
> >
> > Sir,
> >
> > Hmmm. Make sure that you don't have your default policy set to DROP
> > somewhere in the nat table, otherwise if you forget to NAT FTP traffic it
> > will get dropped. Could we see your ruleset?
> >
> > Thanks,
> >
> > Brad
> >
> >
> > =====
> > Brad Chapman
> >
> > Permanent e-mail: kakadu_croc@yahoo.com
> > Current e-mail: kakadu@adelphia.net
> >
> > Reply to the address I used in the message to you,
> > please!
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Make international calls for as low as $.04/minute with Yahoo! Messenger
> > http://phonecard.yahoo.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7gPLOxO3KTTz2r/kRAp1+AKCI6zz+GGi2em/tKDSm5f5h2wPriQCglUPD
uLD81s5PsxD97OtfChl8lPk=
=a0WP
-----END PGP SIGNATURE-----