How to get FTP through a firewall [ipchains]?

Alexander Holst yellowdog-general@lists.terrasoftsolutions.com
Thu May 16 11:48:01 2002 

Hi YDLers,

How does one get ftp services through an ipchains fire wall? Somehow, I 
am missing something here:

ipchains -L
Chain input (policy DENY):
target  prot opt     source    destination     ports
ACCEPT  all  ------  anywhere  anywhere        n/a                # my 
lo0
ACCEPT  all  ------  anywhere  anywhere        n/a                # my 
eth1, trusted, eth0 is world
ACCEPT  icmp ------  anywhere  anywhere        !5 ->   any
...
ACCEPT  tcp  ------  anywhere  My_WebServer    any ->   ftp       # 
these work from outside
ACCEPT  tcp  ------  anywhere  My_WebServer    any ->   ftp-data  # 
these work from outside
ACCEPT  tcp  -y----  anywhere  My_WebServer    ftp-data ->   any  # 
these work from outside
ACCEPT  tcp  -y----  anywhere  My_WebServer    ftp ->   any       # 
these work from outside
ACCEPT  tcp  ------  anywhere  My_WebServer    any ->   http      # 
these work from outside
...
ACCEPT  tcp  ------  anywhere  My_NetRange/24  ftp ->   any       # to 
get ftp from in- to outside
ACCEPT  tcp  ------  anywhere  My_NetRange/24  ftp-data ->   any  # to 
get ftp from in- to outside
...
ACCEPT  tcp  !y----  anywhere  My_NetRange/24  any ->   any       # this 
bothers me, I had to put it in
                                                                   # to 
get ftp to work correctly!
...
REJECT  tcp  -y----  anywhere  anywhere        any ->   any
REJECT  udp  ------  anywhere  anywhere        any ->   any
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

I know, this is not a very pretty setup as I am doing everything through 
the input chain, but I had to do a quick and dirty setup, as one of my 
boxes was cracked through an ssh exploit.

now my question: Is it safe to put the line in question,
ACCEPT  tcp  !y----  anywhere  My_NetRange/24  any ->   any
in there? Or is there a more elegant way? I do no masquerading, all are 
real IP#s, inside as well as outside.

Without the line, I was only able to connect, but couldn't get any 
directory listings nor was able to establish any down- or upload. How 
could I replace the line so just ftp works from clients inside to 
servers outside without opening another hole?

Any help appreciated.
Regards,
Alex

Alexander Holst
Pforzheim University of Applied Sciences
<holst@fh-pforzheim.de>
ph: +49 [0]7231 28-6837
fx: +49 [0]7231 28-6040