shorewall iptables, ftp
here is what shorewall set up for iptables on my squid server. even though it looks like ftp should be going through it doesnt. when i connect to a ftp server where you have to log in it lets me log in and then when it trys to read the directory it hangs and finally just times out. any ideas?
keep in mind im new to iptables and dont have a clue what most of those switchs are doing. Code:
# Generated by iptables-save v1.2.11 on Fri Oct 29 09:21:44 2004 |
Try modprobing modules:
ip_nat_ftp ip_conntrack_ftp you can also try using passive mode in ftp transfers. |
this is how my modules look:
Code:
loadmodule ip_tables |
ok, the modules are there; the order shouldn't matter (though you might want to check that they got loaded, eg. they appear in the "lsmod" listing).
Also, is there the same problem also when you try to use ftp direclty from the server? Does the passive mode work? |
Code:
Module Size Used by |
still nothing. i can connect and log in. but not able to retrieve content listing.
here are what my files all look like /etc/shorewall/rules Code:
ACCEPT loc net tcp - - - Code:
all all ACCEPT Code:
loc eth1 detect routeback,dhcp Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Code:
if [ -z "`ip rule list | grep www.out`" ] ; then Code:
[root@squid shorewall]# service shorewall restart |
anybody got any ideas? im still lost on this.
|
*bump*
still need some help =/ |
Shorewall
Hi.
It appears from your commandline output that you got things a bit messed up. If you read it close you will see that you have zones defined that do not have a nic or ip-range, and you are allowing scary things in the policy file for example: -Policy ACCEPT for net to fw using chain all2all -Policy ACCEPT for net to loc using chain all2all These lines are like blowing a hole in the wall with a shotgun. What is said is that "everyone is welcome in" You need to DROP packets from net to $fw and net to loc. Then in /etc/shorewall/rules you need to DNAT incoming connections from net to "ip-addr-given" on loc (or preferably a DMZ-zone if you can spare a nic) for the ftp connection, and also ALLOW with the same specs. Sample from my own firewall: DNAT net dmz:x.x.x.x:21 tcp 21 FTP/ACCEPT:info net dmz:x.x.x.x The documentation section at www.shorewall.net has several excellent howtos for many applications. :confused: :study: :) |
All times are GMT -5. The time now is 01:13 PM. |