ftp and firewall
having server of redhat as4 on testing, and running fc4.
my problem ???????? i have a server over internet windows 2003 enterprise,and ftp enabled. i can access it from fc4 or as4, but unable to access it from clients. i am using squid, and iptables, there isn't any blocking in squid and iptables for that. since its running in active mode (win 2003 ftp server) so clients have problem, but all other servers running in passive mode on lan/internet are accessable. i used these some rules iptables -A FORWARD -p tcp -s 172.16.0.0 --sport 1024:65535 -d 0.0.0.0 --dport 21 -m state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -s 0.0.0.0 --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -s 172.16.0.0 --sport 1024:65535 -d 0.0.0.0 --dport 21 -m state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 0.0.0.0 --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT but getting at client ftp: connect :unknown error number |
you don't need to make rules with all those port ranges, that's how it used to be with ipchains, but netfilter/iptables' connection tracking eliminates the need for those kinda rules... like this example (for the router/firewall):
Code:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Code:
/sbin/modprobe ip_nat_ftp Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
i have problem and getting this a bug.(may be)
i am using linux box as firewall+forwarding clients requests to internet. my problem is that a server of windows ftp2003, and clients are unable to browse ftp site, while they are able to connect any linux base ftp server on net. i am also using squid. all of that there isn't any restriction in squid or iptables. i can connect from linux box to windows 2003 ftp server. i flushed all rules, deleted all chains. and default policy to ACCEPT. and atleast i used this rule but still getting error from client side, when i check on client c:\> netstat -a tcp 172.16.0.22:1044 202.145.23.3:ftp SYN_SENT and at least connection time out i am using these two rules only (two) iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -j ACCEPT |
have you tried both active and passive modes??
|
1st thing i am unable to connect to that server, so how can i define active or passive mode.
2nd proxy servers use for http, ftp protocols. if this is 100% correct statement they why my clients are unable to connect, even i am using squid, with mimial acl like below acl home1 src 172.16.0.0 http_access allow home1 third in iptables i am not using nat for ftp protocol b/c of squid. to cache contents and available to other users also. and also allowed above rules. |
i'd love to help you but i can't seem to understand your setup or your exact problem very well... perhaps you could sketch a diagram here using text or maybe explain your problem a little better?? :confused:
|
I am having very similar issues, and have found tons of posts on here regarding this but no fixes so far. Here is my environment:
IPCop v1.4.10 running Squid Proxy (squid/2.5.STABLE12). Here is a copy of my squid.conf: ################################# shutdown_lifetime 5 seconds icp_port 0 http_port 127.0.0.1:800 acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_effective_user squid cache_effective_group squid pid_filename /var/run/squid.pid cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none log_mime_hdrs off forwarded_for off # Uncomment the following line to enable logging of User-Agent header: #useragent_log /var/log/squid/user_agent.log # Uncomment the following line to enable logging of Referer header: #referer_log /var/log/squid/referer.log acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 800 # Squids port (for icons) acl IPCop_http port 81 acl IPCop_https port 445 acl IPCop_ips dst 10.0.0.2 acl IPCop_networks src 10.0.0.0/255.255.255.0 acl CONNECT method CONNECT ##Access to squid: #local machine, no restriction #http_access allow localhost #GUI admin if local machine connects #http_access allow IPCop_ips IPCop_networks IPCop_http #http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https #Deny not web services #http_access deny !Safe_ports #http_access deny CONNECT !SSL_ports #Finally allow IPCop_networks clients #http_access allow IPCop_networks #http_access deny all # Cop+ acl rules follow, above rules should remain commented out http_access allow localhost IPCop_http http_access allow CONNECT localhost IPCop_https http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all maximum_object_size 4096 KB minimum_object_size 0 KB cache_mem 2000 KB cache_dir aufs /var/log/cache 50 16 256 request_body_max_size 0 KB reply_body_max_size 0 allow all visible_hostname fake.hostname httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on ############################################# As you can see from the acl allows, port 21/FTP is allowed access. Yet anytime I attempt to hit an ftp site through Squid via a Windows client using both IE 6.0+ or Smart FTP, I get the following error message: ERROR The requested URL could not be retrieved -------------------------------------------------------------------------------- The FTP server was too busy while trying to retrieve the URL: ftp://ftp.conleyservices.com/ Squid sent the following FTP command: USER anonymous and then received this reply Unable to set up secure anonymous FTPYour cache administrator is webmaster. -------------------------------------------------------------------------------- Generated Sat, 10 Jun 2006 03:18:06 GMT by fake.hostname (squid/2.5.STABLE12) ###################################### Help?! Someone?! Also, if I go to a Linux ftp server that requires a log in other than anonymous, it seems to work (except i don't have a password, so not sure if it really works, but at least i get prompted to put one in). |
All times are GMT -5. The time now is 02:14 AM. |