Morten Steinvik <[EMAIL PROTECTED]> wrote:
>
> -F -f
> -F -p deny
> -F -a accept -S $NET10 -D $NET100
> -F -a m -S $NET10 -D any/0
> -F -a m -S $NET100 -D any/0
This looks good, although the masq box is only forwarding packets from
NET10 to NET100; it won't forward the other direction. Whether this is
a problem is up to you. :)
> The log of the ftp site (which I have not available right now, sorry)
> said that it got a connection from the 193.90-address that the linux
> have; it got masqued correctly. Next it says it cannot open
> connection to a port on the 192.168-address that the PC is having.
An FTP connection is actually two connections. One is opened out-bound
from the client, and is called the "control" connection, on destination
port 21. The only commands that are sent over the control connection
are login commands, and file retrieval commands, and the responses to
those commands. Any time an actual transfer will take place, an
additional connection is created between the two machines. In order to
create this connection, a PORT command is sent which gives the IP
address and port number for the remote ftp daemon to connect back to.
Your machine is giving the remote ftp daemon its own IP address, which
is unreachable, and that's why your ftp fails.
The ip_masq_ftp module is intended to fix exactly this scenario. Simply
"insmod" that module (yes, you do have it), and the module will now go
to work on future ftp sessions. If the session is being masqueraded, it
will watch for the PORT command being sent, and whenever it is seen, it
will change the IP address inserted into the command stream, and send
the correct masq IP/port instead. It works quite well.
An alternative to the above is to configure your ftp clients behind the
firewall to use the PASV command instead of PORT. This is referred to
as "passive mode", and it allows the machine behind the firewall to open
the secondardy connection outbound (which is masqueraded as normal),
rather than the default direction from daemon to client. This also
works quite well, but not all ftp clients support it. The ip_masq_ftp
module will not interfere with such connections, however, so simply
loading that module will give you the best of both worlds.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Her lips said 'No,' but her
sometimes known as David DeSimone || eyes said 'Read my lips!'"
http://www.dallas.net/~fox/ ||
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
