Re: [TCLUG:6207] ipchains and RH 6.0

[Eric Estabrooks <eric@urbanrage.com>]

Bob Tanner wrote:

> Quoting Bob Tanner (tanner@real-time.com):
> > Well, I thought I should make the move to ipchains, since I am now running RH
> > 6.0. But I have run into a snag.
> >
> > With ipchains I am unable to figure how to do ftp.
> >
> > I am not masqurading, just blocking. My workstation has a valid IP address, I
> > am just working on the input chain.
> >
> > After I make an outgoing ftp connection, the ftp server is going to respond
> > back to me with the ftp-data part, but when I hit my favorite ftp sites,
> > ipchains is reporting:
> >
> > May 29 05:04:41 mordent kernel: Packet log: lockdown DENY eth0 PROTO=6
> > 206.10.252.12:4697 206.145.104.172:3248 L=44 S=0x00 I=61415 F=0x0000 T=61
> >
> > This is me typing dir after I have sucessfully logged into the ftp server. It
> > looks like the server is sending back the ftp-data connection on some
> > random(?) port.
> >
> > How do I assocate this connection with my inital ftp request?
>
> It is just ncftp which does not work. I believe this is because ncftp used
> passive ftp.
>
> Under a typical ftp sessions, the client connects to the server on port 21 and
> the server turns around and opens port 20 back to the client. I believe
> passive ftp is where the client does all the work. So, how does one ipchain
> passive ftp?
>

modprobe ip_masq_ftp

I believe you need to use this module even if you are not actively masq'ing.  I
think that there is also a patch to the module that looks for the port command and
temporarily open the passive port whatever it happens to be.

There is an ipchains mailing list and this was recently discussed there so it's
probably in the archives.

Eric