If it helps, I had a similar problem. I'm using a Bastille firewall script
that came with my distro of Mandrake 8.0. I couldn't figure out how to get
Active FTP to work... However, I enabled passive mode on the client ftp
proggie itself. This worked for the Mac client I was using. (Fetch)
thx
----Original Message Follows----
I recently upgraded a RH61 firewall to RH71 and preferred to use iptables
since the portforwarding modules in ipchains/ipmasqadm are not available
with kernel 2.4.
Here is my setup (question to follow):
eth0 = "inside" NIC
eth1 = "outside" NIC
Simple arrangement for Masquerading:
iptables -t nat -I POSTROUTING -j MASQUERADE -i eth0
** I have portforwarding working fine on the system, but it's not relevant
to my problem.
** There is another firewall between this box and the internet that is doing
the actual blocking of most ports (this is for the benefit of those of you
wanting to send a "open firewall is a bad idea" email--I am
double-perimitered--the external does the hard work...The network is
properly configured at the exterior firewall just fine and is "mostly
closed". The box in question is merely a MASQ and Proxy (squid)).
-------------------
Moving right along...
With the lack of simple and coherent iptables documentation (I found several
HOWTOs, including a good page at a princeton.edu discussing passive ftp), I
was able to finally make "active" FTP work (the flavor of FTP using only
ports 20:21). I accomplished this by insmoding ip_nat_ftp and
ip_conntrack_ftp.
-------------------
My problem:
In passive mode, my FTP clients are able to obtain a control connection and
login, but are unable to receive data (even a "dir" or "ls" fails). I know
this is because the passive port (arbitrary) is being denied, but I am
unable to make the ip_nat_ftp and ip_conntrack_ftp modules "see" the passive
action. Active FTP (port 20:21 only) works just fine.
The Princeton.edu page shows iptables command samples for utilizing the same
box (assumed single-homed box--this is a dual-homed box and forwarding
packets between eth0 and eth1), but does not show a real firewall box
situation.
What iptables commands do I need to use to make passive FTP work?
Regards,
Jim Roland, RHCE
-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
