Thanks, but that is not the cause of my problem. Enabling PASV commands at my ftp client on the inside of the firewall results in blocked connections to the outside world. Iptables of course is very manual in nature. ----- Original Message ----- From: "grottoBoy rant" <stylerzz@hotmail.com> To: <jroland@roland.net>; <linux-net@vger.kernel.org>; <linux-admin@vger.kernel.org> Sent: Sunday, August 12, 2001 8:33 PM Subject: Re: Passive FTP and iptables > > If it helps, I had a similar problem. I'm using a Bastille firewall script > that came with my distro of Mandrake 8.0. I couldn't figure out how to get > Active FTP to work... However, I enabled passive mode on the client ftp > proggie itself. This worked for the Mac client I was using. (Fetch) > > thx > > > ----Original Message Follows---- > > > I recently upgraded a RH61 firewall to RH71 and preferred to use iptables > since the portforwarding modules in ipchains/ipmasqadm are not available > with kernel 2.4. > > Here is my setup (question to follow): > eth0 = "inside" NIC > eth1 = "outside" NIC > Simple arrangement for Masquerading: > iptables -t nat -I POSTROUTING -j MASQUERADE -i eth0 > ** I have portforwarding working fine on the system, but it's not relevant > to my problem. > ** There is another firewall between this box and the internet that is doing > the actual blocking of most ports (this is for the benefit of those of you > wanting to send a "open firewall is a bad idea" email--I am > double-perimitered--the external does the hard work...The network is > properly configured at the exterior firewall just fine and is "mostly > closed". The box in question is merely a MASQ and Proxy (squid)). > > ------------------- > > Moving right along... > > With the lack of simple and coherent iptables documentation (I found several > HOWTOs, including a good page at a princeton.edu discussing passive ftp), I > was able to finally make "active" FTP work (the flavor of FTP using only > ports 20:21). I accomplished this by insmoding ip_nat_ftp and > ip_conntrack_ftp. > > ------------------- > > My problem: > In passive mode, my FTP clients are able to obtain a control connection and > login, but are unable to receive data (even a "dir" or "ls" fails). I know > this is because the passive port (arbitrary) is being denied, but I am > unable to make the ip_nat_ftp and ip_conntrack_ftp modules "see" the passive > action. Active FTP (port 20:21 only) works just fine. > > The Princeton.edu page shows iptables command samples for utilizing the same > box (assumed single-homed box--this is a dual-homed box and forwarding > packets between eth0 and eth1), but does not show a real firewall box > situation. > > What iptables commands do I need to use to make passive FTP work? > > Regards, > Jim Roland, RHCE > > - > : send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html