ipchains & ftp
Mike Starke
mgcon@neta.com
Sat, 30 Sep 2000 12:19:21 -0700 (MST)
I'm having some problems getting ftp to work with
my ipchains. In fact 'some problems' is a bit inaccurate, it
doesn't work.
Here is what I am doing:
eth0 is a internet ip
eth1 is my internal (192.168.2.1)
All output chains are set to ACCEPT
All input on eth1 is set to ACCEPT
Forward chain jumps to a chain called good_bad, and
lines for each protocol are masqueraded; for instance:
$IPCHAINS -A good_bad -p tcp -d 0/0 80 -j MASQ
$IPCHAINS -A good_bad -p tcp -d $MAILSERVER 25 -j MASQ
etc, etc
The cooresponding input (on eth0) are like:
$IPCHAINS -A input -i eth0 -p tcp -s 0/0 80 -j ACCEPT
$IPCHAINS -A input -i eth0 -p tcp -s $MAILSERVER -j ACCEPT
etc, etc
And so on and so on for everything else (pop3, dns, etc).
At the end of each chain (input & good_bad), I deny everything
and log it.
The problem resides in ftp. The same logic that works above
does not apply here as the port numbers shift on me.
Anyone care to help me out with this?
P.S. I have also made sure I have ip_masq_ftp.o loaded.
Mike
mgcon@getnet.com
http://www.getnet.com/~mgcon
Phoenix, AZ
USA