Simple masq firewall to allow FTP

Hi,

I've set up a simple masq firewall to share a ppp dialup connection to
other machines on a LAN. It has worked well so far, but now I need to
use FTP and am having problems.

The symptoms are that I can connect to a FTP server and issue
commands, e.g. 'pwd', but 'ls' just hangs (presumably the return
connection blocked by my local firewall).

It's possible that switching to passive mode would be the usual
workaround, but due to my ISP's own filter rules I need to use FTP in
active mode (the default).

The following rules were constructed from the Masquerading-made-simple
HOWTO, and others. Maybe enabling FTP is as simple as opening another
port to the outside world... Can anyone suggest a simple way to fixup
this script to enable active FTP?

Cheers,
-bernie.



#! /bin/sh

## Load the NAT module (this pulls in all the others).
## (seems to work fine without this though)
#modprobe iptable_nat

## Flush iptables to get a known starting point.
iptables -F
iptables -t nat -F
iptables -t mangle -F

## In the NAT table (-t nat), Append a rule (-A) after routing
## (POSTROUTING) for all packets going out ppp0 (-o ppp0) which
## says to MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## Disallow NEW and INVALID incoming or forwarded packets from ppp0.
## (this is how the firewall used to work, but after reading the
## HOWTO I replaced this with the 3 INPUT rules later on.)
#iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
#iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP

## Allow any existing connections, or anything related
## (e.g. ftp server connecting back to us).
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Allow new connections only from the local network.
iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT

## And now deny everything else coming in.
iptables -P INPUT DROP

## Turn on IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward



In case it matters, here is the output of lsmod (you can see I
recently modprobe ip_nat_ftp, but it still not work:

Module Size Used by Tainted: P
ip_nat_ftp 2944 0 (unused)
ipt_state 608 2 (autoclean)
ipt_MASQUERADE 1216 1 (autoclean)
iptable_mangle 1728 0 (autoclean) (unused)
iptable_nat 12788 1 (autoclean) [ip_nat_ftp
ipt_MASQUERADE]
ip_conntrack 12940 2 (autoclean) [ip_nat_ftp ipt_state
ipt_MASQUERADE iptable_nat]
iptable_filter 1728 0 (autoclean) (unused)
ip_tables 10432 7 [ipt_state ipt_MASQUERADE
iptable_mangle iptable_nat iptable_filter]
ppp_deflate 39488 0 (autoclean)
bsd_comp 4032 0 (autoclean)
ppp_async 6080 1 (autoclean)
pcmcia_core 38720 0
ppp_generic 17928 3 (autoclean) [ppp_deflate bsd_comp
ppp_async]
slhc 4480 1 (autoclean) [ppp_generic]
via82cxxx_audio 17824 1 (autoclean)
uart401 6080 0 (autoclean) [via82cxxx_audio]
ac97_codec 9376 0 (autoclean) [via82cxxx_audio]
sound 52716 0 (autoclean) [via82cxxx_audio
uart401]
soundcore 3556 4 (autoclean) [via82cxxx_audio sound]
via-rhine 10340 1 (autoclean)
af_packet 11560 0
rtc 5528 0 (autoclean)
ext2 30528 6 (autoclean)
ide-disk 6624 7 (autoclean)
ide-probe-mod 8064 0 (autoclean)
ide-mod 130892 7 (autoclean) [ide-disk ide-probe-mod]
ext3 55296 0 (autoclean)
jbd 34440 0 (autoclean) [ext3]
unix 13700 12 (autoclean)

B Boudet <news-(E-Mail Removed)> wrote:

> I've set up a simple masq firewall to share a ppp dialup connection to
> other machines on a LAN. It has worked well so far, but now I need to
> use FTP and am having problems.

....


> In case it matters, here is the output of lsmod (you can see I
> recently modprobe ip_nat_ftp, but it still not work:

> Module Size Used by Tainted: P
> ip_nat_ftp 2944 0 (unused)
> ipt_state 608 2 (autoclean)
> ipt_MASQUERADE 1216 1 (autoclean)
> iptable_mangle 1728 0 (autoclean) (unused)
> iptable_nat 12788 1 (autoclean) [ip_nat_ftp
> ipt_MASQUERADE]
> ip_conntrack 12940 2 (autoclean) [ip_nat_ftp ipt_state
> ipt_MASQUERADE iptable_nat]
> iptable_filter 1728 0 (autoclean) (unused)
> ip_tables 10432 7 [ipt_state ipt_MASQUERADE
> iptable_mangle iptable_nat iptable_filter]

Try adding the module ip_conntrack_ftp. Or ftp -p might work without that.
That's the obvious difference between your modules and mine. I'd rather
not try to analyze the rules.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* In my book, the first poster to resort to personal abuse in a Usenet
debate loses by default. - Rod Smith */

Clifford Kite <(E-Mail Removed)> wrote:

> Try adding the module ip_conntrack_ftp.

Thanks, that fixed it. ip_nat_ftp is also required so that other
machines on the LAN can use FTP through this gateway.

> Or ftp -p might work without that.

Passive FTP is blocked by my ISPs own filter rules, I specifically
needed a solution to use FTP in its default mode.

Cheers,
-bernie.