AW: [suse-security] probs with ftp-masquerading
Hi,
does someone know how this redirecting is done ? I tried out with
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20:21 -j
REDIRECT --to-post 3128
but this doesn't work. Since that I can't even connect to a ftp-server
anymore :-(
How exactly must this be done ?
Thanks in advance
Stephan
-----Ursprüngliche Nachricht-----
Von: Alberto Tarantino [mailto:alberto.tarantino@archidata.it]
Gesendet: Dienstag, 22. Januar 2002 09:18
An: OKDesign oHG Security Administrator
Betreff: Re: [suse-security] probs with ftp-masquerading
Hi there,
I know it might sound like a "dirty trick".. but.. why don't you use port
redirection and Squid as FTP proxy? That might improve security as well as
be a very easy ti implement solution.
Bye
A.T.
----- Original Message -----
From: "OKDesign oHG Security Administrator"
Okay,
I've now learned a lot of security-wisdom and that the SuSE-firewall 2 is a damned good tool (something I already knew). But my problem is still unsolved. For any reasons ftp-masquerading doesn't work. I tried what Ralf recommended, but the two iptables-commands didn't have any result (okay, maybe they had, but they didn't enable ftp-masquerading). I also looked for the modules ip_conntrack_ftp and ip_nat_ftp as GertJan told me. I had no luck to find the first one anywhere on my system although the FW-Packe is installed. The second one is there and I did an insmod, but this also didn't solve the problem. Ah yes, Lars pointed me to an error I made. Of course I didn't install my system from the crab, but from the scratch. Funny to image a crab with SuSE-Linux tied on the back :-) To Roman: Of course you are right, but as I already mentioned, I have to live with DAUs in my LAN, and it's hard enough to have my phone actually ringing like hell because this damn ftp doesn't work. By now I only answer "I'm working on it and I'll send a message to all users when it's working again..."; but to imagine to have to explain all users what FTP-passive-mode is and how and why it must be used, is as hard as to imagine that my mother-in-law is going to stay for more than one week (one week is bad enough, but more will ruin my nerves *sigh*). I really don't know which one I would prefer if I had only these two choices...
Anyway, could someone help me in solving my problem ? I'm sure out there on this list are lots of iptables-freaks knowing nearly all tricks one can do with it and it should be no big problem for them to find out how to enable this ftp-masquerading.
Thanks in advance
Stephan
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Am Mittwoch, 23. Januar 2002 18:47 schrieb Stephan:
Von: Alberto Tarantino [mailto:alberto.tarantino@archidata.it]
I know it might sound like a "dirty trick".. but.. why don't you use port redirection and Squid as FTP proxy? That might improve security as well as be a very easy ti implement solution.
How exactly must this be done ?
I think it won't work. ftp is a protocol which is a bit harder to manage in a firewall. I wouldn't try to use port redirection but install a ftp-proxy and configure my client programs to use this proxy. The firewall rule I would chose would be: iptables -p tcp -s ! ftpproxy/32 -d 0/0 --dport 21 -j REJECT and this would only apply to traffic from internal to external networks. Peter
Right, ftp-redirecting doesn't work, because you oviously don't have the http-header to analyze for your proxy. Either use squid and set ftp-proxy or use SuSE-Proxy-Suite, I've never tried the latter but I had no troubles with squid up to now. Ralf Peter Wiersig wrote:
Am Mittwoch, 23. Januar 2002 18:47 schrieb Stephan:
Von: Alberto Tarantino [mailto:alberto.tarantino@archidata.it]
I know it might sound like a "dirty trick".. but.. why don't you use port redirection and Squid as FTP proxy? That might improve security as well as be a very easy ti implement solution.
How exactly must this be done ?
I think it won't work.
ftp is a protocol which is a bit harder to manage in a firewall.
I wouldn't try to use port redirection but install a ftp-proxy and configure my client programs to use this proxy.
The firewall rule I would chose would be:
iptables -p tcp -s ! ftpproxy/32 -d 0/0 --dport 21 -j REJECT
and this would only apply to traffic from internal to external networks.
Peter
-- ------------------------------------------------------------ Ralf Ronneburger ralf@ronneburger.de Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.net/gpg/ralf_ronneburger.asc ------------------------------------------------------------
Hi Ralf, thanks for your mails. In your first answer to my problem you postet two iptables-rules, which you told as working in your system. Well, I implmented them into my system, they are accepted, but it doesn't work. I still get no dir-listing. Did you do anything else besides these two rules ? About SuSE-Proxy-Suite: Can someone please give me an URL with infos about this ? I've heard of it, but never had the need to get any deeper into. Now it seems as if this is necessary (something I absolutely cannot understand, because with ipchains it was abolutely no problem to get ftp-connect working without any error. So why shouldn't it also be possible with iptables ? Sorry, I can't get the point here...). What exactly is this suite and what exactly is it able to provide ? Thanks in advance Stephan -----Ursprungliche Nachricht----- Von: Ralf Ronneburger [mailto:ralf@ronneburger.de] Gesendet: Mittwoch, 23. Januar 2002 19:34 An: suse-security Betreff: Re: [suse-security] probs with ftp-masquerading Right, ftp-redirecting doesn't work, because you oviously don't have the http-header to analyze for your proxy. Either use squid and set ftp-proxy or use SuSE-Proxy-Suite, I've never tried the latter but I had no troubles with squid up to now. Ralf Peter Wiersig wrote:
Am Mittwoch, 23. Januar 2002 18:47 schrieb Stephan:
Von: Alberto Tarantino [mailto:alberto.tarantino@archidata.it]
I know it might sound like a "dirty trick".. but.. why don't you use port redirection and Squid as FTP proxy? That might improve security as well as be a very easy ti implement solution.
How exactly must this be done ?
I think it won't work.
ftp is a protocol which is a bit harder to manage in a firewall.
I wouldn't try to use port redirection but install a ftp-proxy and configure my client programs to use this proxy.
The firewall rule I would chose would be:
iptables -p tcp -s ! ftpproxy/32 -d 0/0 --dport 21 -j REJECT
and this would only apply to traffic from internal to external networks.
Peter
-- ------------------------------------------------------------ Ralf Ronneburger ralf@ronneburger.de Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.net/gpg/ralf_ronneburger.asc ------------------------------------------------------------ -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Stephan, I have no SuSE-Firewall or Personal-firewall or whatever running! When you adapt these scripts to your setup then (External interface, internal interface) they'll work! I use them on two completely different networks (with slight adaption). Best regards, Ralf P.S.: As we're living in the same country - if you still don't get it working - how about "Telefonseelsorge" (telephone-care)? :-) OKDesign oHG Security Administrator wrote:
Hi Ralf,
thanks for your mails. In your first answer to my problem you postet two iptables-rules, which you told as working in your system. Well, I implmented them into my system, they are accepted, but it doesn't work. I still get no dir-listing. Did you do anything else besides these two rules ?
About SuSE-Proxy-Suite: Can someone please give me an URL with infos about this ? I've heard of it, but never had the need to get any deeper into. Now it seems as if this is necessary (something I absolutely cannot understand, because with ipchains it was abolutely no problem to get ftp-connect working without any error. So why shouldn't it also be possible with iptables ? Sorry, I can't get the point here...). What exactly is this suite and what exactly is it able to provide ?
Thanks in advance
Stephan
-----Ursprungliche Nachricht----- Von: Ralf Ronneburger [mailto:ralf@ronneburger.de] Gesendet: Mittwoch, 23. Januar 2002 19:34 An: suse-security Betreff: Re: [suse-security] probs with ftp-masquerading
Right, ftp-redirecting doesn't work, because you oviously don't have the http-header to analyze for your proxy. Either use squid and set ftp-proxy or use SuSE-Proxy-Suite, I've never tried the latter but I had no troubles with squid up to now.
Ralf
Peter Wiersig wrote:
Am Mittwoch, 23. Januar 2002 18:47 schrieb Stephan:
Von: Alberto Tarantino [mailto:alberto.tarantino@archidata.it]
I know it might sound like a "dirty trick".. but.. why don't you use port redirection and Squid as FTP proxy? That might improve security as well
as
be a very easy ti implement solution.
How exactly must this be done ?
I think it won't work.
ftp is a protocol which is a bit harder to manage in a firewall.
I wouldn't try to use port redirection but install a ftp-proxy and
configure
my client programs to use this proxy.
The firewall rule I would chose would be:
iptables -p tcp -s ! ftpproxy/32 -d 0/0 --dport 21 -j REJECT
and this would only apply to traffic from internal to external networks.
Peter
-- ------------------------------------------------------------ Ralf Ronneburger ralf@ronneburger.de
Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.net/gpg/ralf_ronneburger.asc ------------------------------------------------------------
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ------------------------------------------------------------ Ralf Ronneburger ralf@ronneburger.de Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.net/gpg/ralf_ronneburger.asc ------------------------------------------------------------
participants (3)
-
OKDesign oHG Security Administrator
-
Peter Wiersig
-
Ralf Ronneburger