Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 20 Dec 2000 14:09:34 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 20 Dec 2000 14:09:25 -0500 Received: from alcove.wittsend.com ([130.205.0.20]:23056 "EHLO alcove.wittsend.com") by vger.kernel.org with ESMTP id ; Wed, 20 Dec 2000 14:09:19 -0500 Date: Wed, 20 Dec 2000 13:38:45 -0500 From: "Michael H. Warfield" To: Michael Rothwell , David Lang , linux-kernel@vger.kernel.org Subject: Re: iptables: "stateful inspection?" Message-ID: <20001220133845.H10408@alcove.wittsend.com> Mail-Followup-To: Michael Rothwell , David Lang , linux-kernel@vger.kernel.org In-Reply-To: <3A40DE97.96228B5E@holly-springs.nc.us> <20001220121351.D10408@alcove.wittsend.com> <3A40F1DB.84D53F7F@holly-springs.nc.us> <20001220130807.F10408@alcove.wittsend.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.2i In-Reply-To: <20001220130807.F10408@alcove.wittsend.com>; from mhw@wittsend.com on Wed, Dec 20, 2000 at 01:08:07PM -0500 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Hello all! On Wed, Dec 20, 2000 at 01:08:07PM -0500, Michael H. Warfield wrote: > On Wed, Dec 20, 2000 at 12:52:27PM -0500, Michael Rothwell wrote: > > "Michael H. Warfield" wrote: > > > You can use spf to add some stateful inspection for PORT mode > > > ftp. Personally, I like the masquerading option better, though. > > Can you give an example of using MASQ selectively? I have real addresses > > on both sides of the firewall, but want things like FTP to work > > correctly. I think the IPChains HOWTOs are just a little terse. :) Michael Rothwell kindly pointed out to me in private mail that I SCREWED UP (he didn't say that, I did) the copy-and-past on one of the command lines and left out a "little detail"... > modprobe ip_masq_ftp > ipchains -A forward -p tcp -s {Source Addresses} -d 0/0 21 This should have been: modprobe ip_masq_ftp ipchains -A forward -p tcp -s {Source Addresses} -d 0/0 21 -j MASQ DOH! Sorry! > Seems to work for me (mine includes a "tag" and a policy route > rule to send it out my cable modem that I've left off here)... > If you don't load the ip_masq_ftp module, you WILL get illegal > port errors on the PORT commands. > > Thanks! Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/