How to get FTP through a firewall [ipchains]?
Alexander Holst
yellowdog-general@lists.terrasoftsolutions.com
Thu May 16 11:48:01 2002
Hi YDLers,
How does one get ftp services through an ipchains fire wall? Somehow, I
am missing something here:
ipchains -L
Chain input (policy DENY):
target prot opt source destination ports
ACCEPT all ------ anywhere anywhere n/a # my
lo0
ACCEPT all ------ anywhere anywhere n/a # my
eth1, trusted, eth0 is world
ACCEPT icmp ------ anywhere anywhere !5 -> any
...
ACCEPT tcp ------ anywhere My_WebServer any -> ftp #
these work from outside
ACCEPT tcp ------ anywhere My_WebServer any -> ftp-data #
these work from outside
ACCEPT tcp -y---- anywhere My_WebServer ftp-data -> any #
these work from outside
ACCEPT tcp -y---- anywhere My_WebServer ftp -> any #
these work from outside
ACCEPT tcp ------ anywhere My_WebServer any -> http #
these work from outside
...
ACCEPT tcp ------ anywhere My_NetRange/24 ftp -> any # to
get ftp from in- to outside
ACCEPT tcp ------ anywhere My_NetRange/24 ftp-data -> any # to
get ftp from in- to outside
...
ACCEPT tcp !y---- anywhere My_NetRange/24 any -> any # this
bothers me, I had to put it in
# to
get ftp to work correctly!
...
REJECT tcp -y---- anywhere anywhere any -> any
REJECT udp ------ anywhere anywhere any -> any
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
I know, this is not a very pretty setup as I am doing everything through
the input chain, but I had to do a quick and dirty setup, as one of my
boxes was cracked through an ssh exploit.
now my question: Is it safe to put the line in question,
ACCEPT tcp !y---- anywhere My_NetRange/24 any -> any
in there? Or is there a more elegant way? I do no masquerading, all are
real IP#s, inside as well as outside.
Without the line, I was only able to connect, but couldn't get any
directory listings nor was able to establish any down- or upload. How
could I replace the line so just ftp works from clients inside to
servers outside without opening another hole?
Any help appreciated.
Regards,
Alex
Alexander Holst
Pforzheim University of Applied Sciences
<holst@fh-pforzheim.de>
ph: +49 [0]7231 28-6837
fx: +49 [0]7231 28-6040