[oclug] Got the linux proxy to work...but still would like he
lp
Strosberg, Bill
bill.strosberg at rcpsc.edu
Tue Apr 17 08:49:00 EDT 2001
Tom:
Michael's right the money, your firewall rules would really help diagnose
your problems. As far as the ssh problem, it is usually a ipchains rule
issue that prevents connections. Most ipchains default rules prevent
connections to/from priviledged ports on the firewall/proxy by default, and
many ssh servers will try to connect to ports 1023 and down a few (depending
on number of simultaneous connections required). 1024 and below are
priviledged ports, and must be explicitly opened for traffic.
The following ADDITIONAL ssh rules should help:
SSH_PORTS = "1020:1023" # four concurrent outbound ssh sessions
allowed
ANYWHERE = "any/0" # 0.0.0.0/0
EXTIF = "eth0" # modify as needed
IPADDR = "your.ext.ip.addr" # available via ifconfig / sed / awk
# ssh priviledged port response packets
/sbin/ipchains -a input -i $EXTIF -p tcp ! y \
-s $ANYWHERE 22 \
-d $IPADDR $SSH_PORTS -j ACCEPT
# ssh priviledged port request packets
/sbin/ipchains -a output -i $EXTIF -p tcp \
-s $IPADDR $SSH_PORTS \
-d $ANYWHERE 22 -j ACCEPT
Since typical firewall ipchains rules do not prevent priviledged port
connections to internal machines by default, ssh works on internal machines.
As far as the FTP issues go, with effort you can configure the firewall to
allow active mode FTP - but you may not want to for security reasons.
Michael's right about the passive mode setting - it will work fine. You DO
have ip_masq_ftp.o module enabled, don't you? Passive mode is more secure
and simpler to configure.
--
Bill Strosberg
More information about the OCLUG
mailing list