iptables, masquerading ftp from private lan

[capitano]

I have a windows machine on private LAN, blocked by Linux firewall running iptables:

win<-----(eth1)--Linux--(eth0)----->the great beyond

I've set up iptables Masquerading and port forwarding for
web service. I've gotten this working. Win can see the outside internet, get mail, serve web pages, and all is good.

HOwever, if have not gotten ws_ftp to work from windows. I cannot ftp to a server outside my network. It looks like the ftp authentication process is successful. but, at the very last step: LIST, it does not complete and says it has been blocked.

Anybody know how to work this? I'm assuming it's an iptables problem.

Thanks a bunch!!

 

[ifincham]

Hi,





It could be a problem with 'normal' FTP. After the client connects from port x to server port 21 the server attempts to initiate a connection from its port 20 back to the client. Because thats initiated on the server side if you have anything that blocks such previously unestablished connex then it could be a problem. Not too sure how ws_ftp works but have you tried passive FTP ? That still involves two connections but they are both initiated by the client - one to port 21 and the data one to an unprivileged port specfied by the server. There should be an option somewhere to use passive ftp - try that out.





Hope this helps

 

[capitano]

AWESOME, AWESOME, AWESOME!!!!!!!!
Thank you sooo much! I've fiddled with this for
several days now and your suggestion worked. I changed the
Advanced configurations on my FTP software to do passive
FTP and the whole process completed without any problems.

One thing I'm curious about, however, is how FTP ports 20 and 21
can get through my Linux firewall. I've tried allowing/denying them.
(Actually, I DO want to be able to FTP out from my internal LAN.
I'm just confused why I can with my existing configuration the way it is.)

In the case above, where I tried passive FTP, my LInux firewall
is set to deny everything incomming from eth1 on port 20/21:

iptables -A INPUT -p tcp -i eth1 --dport 20 -j DROP
iptables -A INPUT -p tcp -i eth1 --dport 21 -j DROP
...and same for -p udp .....

And for extra security, don't allow it out of the firewall either:

iptables -A OUTPUT -p tcp -o eth0 --dport 20 -j DROP
iptables -A OUTPUT -p tcp -o eth0 --dport 21 -j DROP
... and same for -p udp ....

However, this obviously didn't work because I can FTP out to the internet from
both my win and linux boxes now, even after restarting iptables, rebooting, and etc.

Thanks again for any help.

 

[ifincham]

Hi,







With iptables there are three main chains :







input - packets arriving from outside destined for the firewall itself.







output - packets originating at the firewall for a destination outside.







forward - packets from outside the firewall arriving with a onward destination also outside.







This is different from ipchains where a forwarded packets goes from input -> forward -> output .
Masquerading is essentially forwarding so does not go through the input / output chains.





So, your first rules would block inbound ftp to the server (port 21) on interface eth1 (internet ?) plus inbound port 20. The second set should block outbound access to ftp servers from the firewall itself but only to the lan (presuming eth0 is a lan interface) .







If you wanted to prevent ftp access from lan machines you'd have to put restrictions in the 'nat' chains.











Regards

 

[capitano]

Thank you, that does make sense.
I'm still trying to understand how the iptables chains
and tables are divided according to functionality. The more I learn, the more intuitive iptables seems. But I am really just beginning. Thanks much for your help.