LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-21-2004, 08:00 AM   #1
RetroJohn
LQ Newbie
 
Registered: Oct 2004
Location: Cape Town, South Africa
Distribution: LFS
Posts: 4

Rep: Reputation: 0
FTP using TLS via masq / iptables


Hi all

I have a Linux box between 192.168.x.x and the big world
out there. For each user, I have a line,

iptables -A FORWARD -i eth0 -s 192.168.x.y -o eth1 -j ACCEPT

and then of course also the blanket

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $EXTIP

This works fine, does what it needs to do, and so forth.

But now, one user wants to access an FTP site that uses TLS.
And I don't know how to tell ip_nat_ftp / iptable rules about
this.

Log:
...
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 256 "/" is your current location
Command: PORT 192,168,x,y,4,41
Response: 500 I won't open a connection to 192.168.x.y (only to
$EXTIP)
Error: Could not retrieve directory listing
...

What arcane string do I have to incant in the direction of
iptables? Or is this impossible because ip_nat_ftp can't see
inside the encrypted packets?

Thanks

W
 
Old 10-21-2004, 09:03 AM   #2
Demonbane
LQ Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
Try passive mode
 
Old 10-22-2004, 06:05 AM   #3
RetroJohn
LQ Newbie
 
Registered: Oct 2004
Location: Cape Town, South Africa
Distribution: LFS
Posts: 4

Original Poster
Rep: Reputation: 0
The web server he needs to upload to doesn't allow passive...
 
Old 10-22-2004, 06:23 AM   #4
Demonbane
LQ Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
In that case you have to get him to use few specific ports for active mode, then do port forwarding on the firewall.
Because you're right that ip-nat-ftp cannot see inside the packet therefore will not be able to track the connection.
If you have control over the FTP server then try SFTP instead. Otherwise I suppose you can only do a workaround using my first method.
 
Old 10-22-2004, 06:29 AM   #5
RetroJohn
LQ Newbie
 
Registered: Oct 2004
Location: Cape Town, South Africa
Distribution: LFS
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by Demonbane
In that case you have to get him to use few specific ports for active mode, then do port forwarding on the firewall.
OK... and how do I do that?

Thanks!

W
 
Old 10-22-2004, 06:52 AM   #6
Demonbane
LQ Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
Depends on the FTP client
for lftp there's setting called "ftp:port-range" and "ftp:port-ipv4"
For example you tell to client to set the port range to 65000-65005, and port-ipv4 to your external ip.
Then on the Linux router, you do:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 65000:65005 -j DNAT --to 192.168.x.x
where 192.168.x.x is the client's ip address

Last edited by Demonbane; 10-22-2004 at 06:53 AM.
 
Old 10-29-2004, 05:50 AM   #7
RetroJohn
LQ Newbie
 
Registered: Oct 2004
Location: Cape Town, South Africa
Distribution: LFS
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by Demonbane
Depends on the FTP client
for lftp there's setting called "ftport-range" and "ftport-ipv4"
For example you tell to client to set the port range to 65000-65005, and port-ipv4 to your external ip.
Then on the Linux router, you do:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 65000:65005 -j DNAT --to 192.168.x.x
where 192.168.x.x is the client's ip address
# iptables -t nat -A PREROUTING -p tcp --dport 65000:65005 -j NAT --to 192.168.1.44 -v
iptables v1.2.9: Unknown arg `--to'

I sort of understand what I'm supposed to be trying to do, but how to incant
the right command string at iptables?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP Client with SSL/TLS support Osten Linux - Software 11 05-29-2012 11:44 PM
FTP via SSL (TLS) embsupafly Linux - Security 2 03-02-2005 08:47 PM
Kermit Script to Automate FTP SSL/TLS fiddelm3742 Linux - Software 0 05-18-2004 11:53 PM
iptables masq eth0,1,2,3 garvald Linux - Networking 0 08-06-2003 07:37 AM
Quick Q's on IPTables/Masq tarballed Linux - Security 5 12-15-2002 05:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration