Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] probs with ftp-masquerading
  • From: Ralf Ronneburger <ralf@xxxxxxxxxxxxxx>
  • Date: Mon, 21 Jan 2002 21:25:41 +0100
  • Message-id: <3C4C7945.3030402@xxxxxxxxxxxxxx>
Hi Stephan,

try something like this (adapt $p_high, $EXT and $IPTABLES to your needs!):

set $p_high = 1024:65535
set $EXT = ippp0
set $IPTABLES = /usr/sbin/iptables
# ftp
# control connection
$IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT
# passive data connection
$IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT

Works fine for me!

Best regards,


OKDesign oHG Security Administrator wrote:

Hi folks,

this question is not really directly security-related, but I'm gonna post it
here, because I got the problem due to my intention to be as secure as
possible :)

As I read that the "older" kernel 2.2 is not as secure as the newer one 2.4
is, I installed my linux-machine complete from the crab with SuSE 7.3. This
box acts as a Router/Gateway for the LAN. On the first sight everything
works fine, but I found that its not possible to connect to ftp-servers from
the clients. Well, the connection itself works, but I can't get the dirlist.
I tried out several servers, all with the same effort: Connection works, but
when the client wants to get the dir, connection hangs.
I know I had the same problem with 2.2 and could solve it with "insmod
ftp_masq" (or similar) but now this module can't be found on the whole HDD.
Maybe there is a special iptables-command necessary ?
Can someone please point me to the right direction and/or tell me how to get
this to work ?

Routing/MAsquerading is actually done with:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Is something missing ?

Thanks in advance for your help.


Ralf Ronneburger

Prefers to receive encrypted Mail, download public-key from

< Previous Next >