probs with ftp-masquerading
Hi folks, this question is not really directly security-related, but I'm gonna post it here, because I got the problem due to my intention to be as secure as possible :) As I read that the "older" kernel 2.2 is not as secure as the newer one 2.4 is, I installed my linux-machine complete from the crab with SuSE 7.3. This box acts as a Router/Gateway for the LAN. On the first sight everything works fine, but I found that its not possible to connect to ftp-servers from the clients. Well, the connection itself works, but I can't get the dirlist. I tried out several servers, all with the same effort: Connection works, but when the client wants to get the dir, connection hangs. I know I had the same problem with 2.2 and could solve it with "insmod ftp_masq" (or similar) but now this module can't be found on the whole HDD. Maybe there is a special iptables-command necessary ? Can someone please point me to the right direction and/or tell me how to get this to work ? Routing/MAsquerading is actually done with: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward Is something missing ? Thanks in advance for your help. Stephan
Hi Stephan, try something like this (adapt $p_high, $EXT and $IPTABLES to your needs!): <SNIP> set $p_high = 1024:65535 set $EXT = ippp0 set $IPTABLES = /usr/sbin/iptables <SNIP> #------------------------------------------------------------------------------ # ftp # # control connection # $IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT # # passive data connection # $IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT <SNIP> Works fine for me! Best regards, Ralf OKDesign oHG Security Administrator wrote:
Hi folks,
this question is not really directly security-related, but I'm gonna post it here, because I got the problem due to my intention to be as secure as possible :)
As I read that the "older" kernel 2.2 is not as secure as the newer one 2.4 is, I installed my linux-machine complete from the crab with SuSE 7.3. This box acts as a Router/Gateway for the LAN. On the first sight everything works fine, but I found that its not possible to connect to ftp-servers from the clients. Well, the connection itself works, but I can't get the dirlist. I tried out several servers, all with the same effort: Connection works, but when the client wants to get the dir, connection hangs. I know I had the same problem with 2.2 and could solve it with "insmod ftp_masq" (or similar) but now this module can't be found on the whole HDD. Maybe there is a special iptables-command necessary ? Can someone please point me to the right direction and/or tell me how to get this to work ?
Routing/MAsquerading is actually done with: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
Is something missing ?
Thanks in advance for your help.
Stephan
-- ------------------------------------------------------------ Ralf Ronneburger ralf@ronneburger.de Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.net/gpg/ralf_ronneburger.asc ------------------------------------------------------------
Hi what about using passive mode ftp ? if you can live with the 'restriction' that some(only very few) ftpd don't support PASSIVE mode ftp yet. just my (now) 2euro cents tim OKDesign oHG Security Administrator wrote:
Hi folks,
this question is not really directly security-related, but I'm gonna post it here, because I got the problem due to my intention to be as secure as possible :)
<snip> </snip>
Routing/MAsquerading is actually done with: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
Is something missing ?
Thanks in advance for your help.
Stephan
-- The question is what is a manamanahhhh? The question is who cares? "The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right?"
Well, of course this is a possibility. But I'm not looking forward to explain all the users that they HAVE to use passive mode. I don't know what you work, but normally you have a few absolute Idiots in front of the PCs. And, what's more, I'd like to repair the cause, not to do workarounds at the symptoms :-) Stephan -----Original Message----- From: Tim Head [mailto:mailbox@houbits.com] Sent: Monday, January 21, 2002 11:14 PM To: OKDesign oHG Security Administrator; suse-security@suse.com Subject: Re: [suse-security] probs with ftp-masquerading Hi what about using passive mode ftp ? if you can live with the 'restriction' that some(only very few) ftpd don't support PASSIVE mode ftp yet. just my (now) 2euro cents tim
Well, of course this is a possibility. But I'm not looking forward to explain all the users that they HAVE to use passive mode. I don't know what you work, but normally you have a few absolute Idiots in front of the PCs. And, what's more, I'd like to repair the cause, not to do workarounds at the symptoms :-)
Stephan
Well, from the security standpoint, passive mode is always preferrable as opposed to PORT mode. The reason is very simple: You don't really want some enitity outside to be able to open tcp connections to the inside. If you carefully send ftp protocol data through a ftp masquerading router, you can shoot open as many ports as you like. With some restrictions of course, but still. Roman.
participants (4)
-
OKDesign oHG Security Administrator -
Ralf Ronneburger -
Roman Drahtmueller -
Tim Head