Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-26-2004, 10:16 AM
|
#1
|
LQ Newbie
Registered: Jan 2004
Posts: 7
Rep:
|
Glftpd + Iptables + Passive Mode
Hi,
i installed glftpd on my redhat9 machine which has 2 nics ( eth0 is 10.0.0.1 and makes the internet connection ) and the other nic is 192.168.0.100 ( which makes my lan connection to the rest of the network ).
on the same server, which is directly connected to the internet, i installed arno´s iptables. which works just great.
no the problem:
if somebody is connecting to my glftpd server on port 9000 he gets no dirlisting cause of passive mode errors. i added a passive mode port range at the glftp.conf and i nat ip forwarded the same at the iptables script.
does it make any diffrence if i forward it to 192.168.0.100 or 10.0.0.1 ? both are connected to the linux pc.
who can help !!! need fast help !
|
|
|
01-26-2004, 10:41 AM
|
#2
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
There are 2 ip netfilter modules which must be manually loaded,
insmod ip_conntrack_ftp &
insmod ip_nat_ftp
to catch the passive port connection properly.
Add these to the script
If glftpd is on the server, the nat rule is -j REDIRECT to send it to localhost
Check the tutorial.
Last edited by peter_robb; 01-26-2004 at 10:43 AM.
|
|
|
01-26-2004, 11:29 AM
|
#3
|
LQ Newbie
Registered: Jan 2004
Posts: 7
Original Poster
Rep:
|
Quote:
Originally posted by peter_robb
There are 2 ip netfilter modules which must be manually loaded,
insmod ip_conntrack_ftp &
insmod ip_nat_ftp
to catch the passive port connection properly.
Add these to the script
If glftpd is on the server, the nat rule is -j REDIRECT to send it to localhost
Check the tutorial.
|
glftpd is on the same pc where iptables is running. into this machine there are 2 nics, one is 192.168.0.100 which makes my lan connection and one nic which makes via ppp0 my internet connection ( 10.0.0.1 )
to which adress i should forward the ports ? to 192.168.0.100 or 10.0.0.1 ?
can u please tell me the full command i should at to my script ? btw, if i add this command, it will be lost the next time i restart my pc, isnt it ?
|
|
|
01-26-2004, 11:52 AM
|
#4
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
Whatever rule you are using to DNAT, change it to just -j REDIRECT.
|
|
|
01-26-2004, 12:18 PM
|
#5
|
LQ Newbie
Registered: Jan 2004
Posts: 7
Original Poster
Rep:
|
if i think bout this forwarding:
does it make sense at all to forward ports at all ? it makes no sense for me to forward the port to the server its installed ON. i think i should just open up the ports for passive and done or ?
( cant do it right now, cause iam at work )
|
|
|
01-26-2004, 12:24 PM
|
#6
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
Quite true...
Try first with the 2 modules loaded and the firewall off,
if it's ok, then start the firewall..
|
|
|
01-26-2004, 12:49 PM
|
#7
|
LQ Newbie
Registered: Jan 2004
Posts: 7
Original Poster
Rep:
|
Quote:
Originally posted by peter_robb
Quite true...
Try first with the 2 modules loaded and the firewall off,
if it's ok, then start the firewall..
|
did i have to download these modules first or can i just do insmod ?
are they perm or temp installed then ?!
Last edited by supreme2k; 01-26-2004 at 12:52 PM.
|
|
|
01-26-2004, 01:02 PM
|
#8
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
They are already to use, just insmod them and you need to add them to your start script, usually before any rules.
|
|
|
01-26-2004, 01:12 PM
|
#9
|
LQ Newbie
Registered: Jan 2004
Posts: 7
Original Poster
Rep:
|
Quote:
Originally posted by supreme2k
did i have to download these modules first or can i just do insmod ?
are they perm or temp installed then ?!
|
so there arent permanent i have to put them at rc5 or so to boot up...
is it ok to just add insmod <name> or fully path ?
|
|
|
01-26-2004, 01:23 PM
|
#10
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
Put them into the beginning of your iptables script...
Mine are in /etc/init.d/iptables...
]# cat /etc/init.d/iptables
#!/bin/sh
#
# iptables Start iptables firewall
#
# chkconfig: 2345 08 92
# description: Starts, stops and saves iptables firewall
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
# Source function library.
. /etc/init.d/functions
IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
exit 0
fi
if lsmod 2>/dev/null | grep -q ipchains ; then
echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
exit 0
fi
# Default firewall configuration:
IPTABLES_MODULES="ip_conntrack_ftp ip_nat_ftp"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="no"
|
|
|
01-27-2004, 08:56 AM
|
#11
|
LQ Newbie
Registered: Jan 2004
Posts: 7
Original Poster
Rep:
|
nope..no insmod was needed. just open the tcp ports and it works brilliant!
thx dude !!
|
|
|
All times are GMT -5. The time now is 02:38 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|