----- Original Message ----- From: "Bob Nielsen" <[EMAIL PROTECTED]> To: "debian users" <[EMAIL PROTECTED]> Sent: Monday, October 28, 2002 9:57 PM Subject: Re: ipmasq and ftp
> I had this problem with a 2.4 kernel and iptables. Normal FTP uses a > separate connection for data, although if you use passive mode, it will > work over the main connection. If I use a 2.2 kernel with ipchains, > the ip_masq_ftp module, which takes care of the data connection, will > be installed and there are no problems. > > I find the documentation on setting up iptables to be somewhat > confusing, but I figure I just haven't spent enough time on it yet. > > I have a different problem now however. I configured port forwarding, > but if a client outside my lan tries to ftp from my server, it only > works if passive mode is NOT used. > > Bob Hi, i'm pretty new to iptables too. Problem with linux is that there is so much stuff to learn and when you want to get a system up and running, it's not always clear to what one has to do. I finally got it to work by removing the ipmasq package and installing shorewall instead. My server used to be a SuSE7?2 system with the SuSEfirewall 2 script on it. Quite easy to install but no match for the debian apt-get and shorewall combo. Try it. It took me 30 minutes to install, going through a sample config. My ftp connection worked immediately as did the rest. SSH didn't work but a simple "ACCEPT loc fw tcp ssh" entry in the /etc/shorewall/rules file solved that. Wow, very impressive. Only problem i still have is that when i log on to the system say on ttys1 for instance, that i get log messages of unauthorized access. The shorewall faq said this on it: "16. Shorewall is writing log messages all over my console making it unusable! Answer: "man dmesg" -- add a suitable 'dmesg' command to your startup scripts or place it in /etc/shorewall/start. Under RedHat, the max log level that is sent to the console is specified in /etc/sysconfig/init in the LOGLEVEL variable." But i don't know how to do this. I think adding dmesg -n 1 to the /etc/init.d/shorewall script would solve that but i'm not sure. Another thing i noticed is that there is a K99shorewall and a S99shorewall link in /etc/rc2.d No other programs seems to have both a kill and start service link in here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
