×

Loading...
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务

Use ftp proxy module like this (no need to open up 1024-65535):

# insmod ip_masq_ftp

Your Linux machine maybe uses passive mode by default, but in windows it is default to active. Even though you set INPUT, OUTPUT and FORWORD to accept by default, the gateway still have no idea what the connection from the server is for. So you still need ftp proxy. Or, use passive ftp. To change the mode to passive in windows' ftp client, type the following at the ftp prompt:

literal PASV

Note that if you use passive mode, there's no need for ftp proxy, that is for active ftp only. Also, set the policy to accept by default is not a good security measure, unless you are just playing with it.

Like the previous poster said, you need to take a good look at Linux Document Project (http://www.linuxdoc.org).

RTFM!
Report

Replies, comments and Discussions:

  • 工作学习 / IT技术讨论 / 用LINUX网关,打开单向NAT之后发现无法建立WINDOWS客户端FTP连接的数据传输通道,哪位大侠能帮我,谢谢。
    • Depends on passive or active mode you are using, you have to open unprivileged port (1024-65535) and load ftp module for ipchains. URL: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
      • 但是将IPCHAINS 的 INPUT, OUTPUT, FORWARD 规则均设成 ACCEPT之后, LINUX的客户端可以建立FTP连接并传数据, 就WINDOWS的客户端能建立连接,但传不了数据.
        • Use ftp proxy module like this (no need to open up 1024-65535):
          # insmod ip_masq_ftp

          Your Linux machine maybe uses passive mode by default, but in windows it is default to active. Even though you set INPUT, OUTPUT and FORWORD to accept by default, the gateway still have no idea what the connection from the server is for. So you still need ftp proxy. Or, use passive ftp. To change the mode to passive in windows' ftp client, type the following at the ftp prompt:

          literal PASV

          Note that if you use passive mode, there's no need for ftp proxy, that is for active ftp only. Also, set the policy to accept by default is not a good security measure, unless you are just playing with it.

          Like the previous poster said, you need to take a good look at Linux Document Project (http://www.linuxdoc.org).

          RTFM!
          • literal PASV or quote "PASV" won't do the job, because the ftp client has to be able to realize it's in the passive mode and initiate connection.
            the PASV command only makes the server jump into passive mode. Solaris and Windows built in command line ftp clients are not capable of doing passive transfer, there is nothing you can do about it. As for Linux, the built in command "passive" can do the trick. In any case, an application level gateway(you can call it a ftp proxy) is the best choice in terms of compatibility and security.
            • You are right. I can't remember where I got the impression that by issuing "literal PASV" can put a client into passive mode (which is very wrong).
              Oh wait, I vaguely remember it was from a support document of a software package I used to support that made use of command line ftp client on windows.

              So their concept is so screwed up and I didn't pay much attention to it. Me bad!

              Anyway, like you said, ALG is more appropriate. Quite a few packet filtering firewalls (fw-1, pix, linux iptables) were having problems with port command when protecting ftp servers in DMZ. I'd blame the protocol -- it's just so hard to get it right.