SLUG Mailing List Archives - [SLUG] ftp through ipchains not working

To: slug@xxxxxxxxxxx
Subject: [SLUG] ftp through ipchains not working
From: Dave Fitch <davidf@xxxxxxxxxxxxxx>
Date: Thu Aug 2 21:29:02 2001
User-agent: Mutt/1.2.5i

Hi all,

I got all keen a little while back and put in some basic ipchains 
rules (which I ripped off from somewhere and modified a little bit). 
Problem is now ftp don't work through it and I can't see why.  I 
opened incoming ftp and ftp-data (ports 20 and 21 - tcp and udp 
although it should only be tcp I thought?) and all outgoing is 
allowed (and the ip_masq_ftp module is loaded - not that that 
should matter).  In this case I'm only trying to ftp from my
gateway box - ie. the one with the modem and the ipchains rules.

The error when I connect to places is:
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
425 Can't build data connection: Connection refused
ftp> ls

So what's going wrong?

Here's the rules:

	echo "Setting firewalling/forwarding rules"
	echo 1 > /proc/sys/net/ipv4/ip_forward
	#
	# First, clear out all rulesets.
	$IPCHAINS -F
	$IPCHAINS -X
	# Add default policies.
	echo "1" > /proc/sys/net/ipv4/ip_forward
	$IPCHAINS -P input   REJECT
	$IPCHAINS -P forward REJECT
	$IPCHAINS -P output  ACCEPT
	# Accept packets on any interface other than ppp
	$IPCHAINS -A input --interface ! ppp+ -j ACCEPT
	# DNS replies.
	$IPCHAINS -A input --interface ppp+ --protocol udp --source-port domain -j ACCEPT
	# Allow reply packets (no SYN set) on PPP interface.
	$IPCHAINS -A input ! -y --protocol tcp --interface ppp+ -j ACCEPT
	# Deny NETBIOS packets from ever seeing light of day (anal; no forwarding).
	$IPCHAINS -A input --interface eth0 --destination 0/0 137:139 --protocol TCP -j DENY --log
	$IPCHAINS -A input --interface eth0 --destination 0/0 137:139 --protocol UDP -j DENY --log
	# Masq Internal Network Out To Internet
	$IPCHAINS -A input --interface ppp+ --protocol udp --source-port 4000 -j ACCEPT
	$IPCHAINS -A forward -j MASQ -s 192.168.1.0/24 --destination 0.0.0.0/0
	# Allow Incoming SMTP Requests
	$IPCHAINS -A input --interface ppp+ --protocol tcp --destination-port 25 -j ACCEPT --log
	# Allow incoming ftp
	$IPCHAINS -A input --interface ppp+ --protocol tcp --destination-port 20 -j ACCEPT --log
	$IPCHAINS -A input --interface ppp+ --protocol udp --destination-port 20 -j ACCEPT --log
	$IPCHAINS -A input --interface ppp+ --protocol tcp --destination-port 21 -j ACCEPT --log
	$IPCHAINS -A input --interface ppp+ --protocol udp --destination-port 21 -j ACCEPT --log
	# Allow Incoming HTTPD Requests
	$IPCHAINS -A input --interface ppp+ --protocol tcp --destination-port 80 -j ACCEPT --log
	# Allow Incoming SSH Requests
	$IPCHAINS -A input --interface ppp+ --protocol tcp --destination-port 22 -j ACCEPT --log
	$IPCHAINS -A input --interface ppp+ --protocol udp --destination-port 22 -j ACCEPT --log
	# Allow ICMP echo reply otherwise ping, traceroute and mru/mtu discovery won't work
	$IPCHAINS -A input --interface ppp+ --protocol icmp -j ACCEPT --log
	# Allow Ident
	$IPCHAINS -A input --interface ppp+ --protocol udp --destination-port 113 -j ACCEPT --log
	#end

Thanks,
Dave.

Follow-Ups:
- Re: [SLUG] ftp through ipchains not working
  - From: chesty

Messages sorted by: [ date | thread ]
Prev by Date: Re: [SLUG] DNS BIND: what's happen....?
Next by Date: [SLUG] Rebuilding a Kernel in Debian.
Previous by thread: Re: [SLUG] OT?? port/route/???
Next by thread: Re: [SLUG] ftp through ipchains not working