LINK="#3366FF" VLINK="#A000A0">



[ Table Of Contents ][ Answer Guy Current Index ] greetings   Meet the Gang   1   2   3   4   5   6   7   8   9   10   11   12 [ Index of Past Answers ]


(?) The Answer Gang (!)


By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and... (meet the Gang) ... the Editors of Linux Gazette... and You!
Send questions (or interesting answers) to The Answer Gang for possible publication (but read the guidelines first)


(?) Setup of ipchains when using ftp

From Chris Gianakopolous

Answered By Jim Dennis, John Karns, Heather Stern, Ben Okopnik, Mike Orr

(?) Hello Gang,

I have a network of machines which use Linux and Windows95. This is not a Windows95 question!

Here's what I have.

1. The network address, of the ethernet LAN, is 192.93.16.0 (a Motorola block).

2. I use a dialup connection, using a modem, to access my ISP, and I use wvdial to dial things up. The Linux machine is the one connected to the Internet. It is my router.

3. I use the SuSE 6.4 Linux distribution (with the 2.2.14 kernel).

4. I use ipchains to set up my rules. The commands are listed below. It's in a shell script.

See attached ipchains-masq.sh.txt

I can browse the Web (from my Windows machine) with no problem. When I use the ftp client, on the Windows machine, I can log in to the ftp site (ftp.cdrom.com, for example), and I can get the prompt. When I type "ls" or "dir", I get the indication that the PORT command is successful, and nothing else happens. Things appear to stall.

(!) [Mike] There's a special kernel module (ip_masq_ftp) to allow FTP to pass through an IP-masqueraded gateway. See the Networking section in the kernel configuration.

(?) I have seen a posting on the SuSE site about this very problem, but, I have not yet found an answer.

I will continue troubleshooting this problem on my own, but if anybody else (probably everybody) has seen the behavior of ipchains and ftp clients on other machines, it would be cool if you let me know.

I suspect that this is a simple configuration problem. I looked at the IP-CHAINS HOWTO, and I looked at the IP-MASQUERADING HOWTO, but, I have not found anything yet. I will look at them again, just to see if I missed anything. I will also search the Linux Gazette site again. I may just have a mental block.

(!) [Mike] RealAudio, Quake, IRC, CUSeeMe and VDO-Live also require their own separate modules, at least on kernel 2.2. On kernel 2.4, those modules don't seem to exist, although ip_nat_ftp does exist.

(?) Thanks Mike. I wound up figuring that out, ultimately...

Why my ftp client, on my Windows95 machine, did not appear to work using my Linux machine with IP masquerading was --

I had to type the following command on my Linux machine that was doing the masquerading:

insmod ip_masq_ftp

I found this information at the URL,

http://netfilter.samba.org/ipchains/HOWTO-7.html

(!) [Ben] Yep; there's an entire kit of various ip_masq_* modules, including IRC, RealAudio, VDOLive, CuSeeme, and so on. You can usually find these under "/lib/modules/<kernelversion>/ipv4/".

(?) Yea, Ben. I saw all of the various ip_masq_* modules at some other URL. Thanks for the reply.

(!) [JimD]
The broader issue is that the normal automatic kernel loading mechanism (kmod) wasn't working. You probably want to run depmod (build your kernel module dependency tree file) and try running modprobe (which attempts to find and load modules including their dependents). If the modprobe command doesn't work by hand, then the kmod (kernel module loader) won't either --- since kmod spawns off kernel threads to execute modprobe commands.
(!) [Ben] Actually, "depmod -a" runs every time you boot - at least on my Debian box; that's what prints the "Calculating module dependencies..." line. It's in "/etc/init.d/modutils". I'm not sure how it works on SuSE.
(!) [John K] I believe it's the same on SuSE.
(!) [Heather] The depmod call is in /etc/init.d/boot (on SuSE 7.1). There is no "modutils" here...

(?) I think that I did that depmod stuff when I rebuilt the kernel (to add enhanced support for my hard disk controller), but I will take this advice into account. Maybe I THINK that I did the required stuff. It was more than 8 months ago (an eternity in my world).

(?)

(!) [JimD]
It's also possible that something might be wrong with your /etc/modules.conf file which aliases certain kernel symbols (drivers, protocol families, filesystem types, etc) with the modules specific to your system.
(!) [Ben] As well, it's worth checking "/etc/modutils/aliases" and "/etc/modutils/arch/i386" files; if they don't have the correct lines in them, "update-modules" will not have what it needs to build "/etc/modules.conf" correctly.
(!) [John K] This is different on SuSE, however. I'm running SuSE 7.1 and these dirs don't exist.
I'm also running masquerading with a 2.2.x (2.2.20), and I just put the modules in the ipchain script to have them loaded. I don't see that SuSE had set up modutils for the masq modules.

(?) Hey John,

Which script are you talking about? I just put everything in a bash script. Is that what you are talking about? I would look at the man page for ipchains, but I am on a system that I am just installing Linux, thus, ipchains (and its man page) are not installed. I just got the ppp link, sendmail, and mutt configured on this machine.

(!) [Heather] On my SuSE 7.1 /etc/modules.conf gets used to declare the modules, and looks like the file which Debian's modutils normally composes out of loose parts. (for Debian fans, I'll note that it'll do that whenever you run 'update-modules' as root.)
While it can be argued that the loose parts make it easier to keep things organized, I'll note that with or without, it's a mess pretty quickly when you like to toggle amid a handful of kernel versions. Luckily modules that don't exist merely issue a harmless warning.

(?) I will double check that. Okay, I just double checked my /etc/modules.conf file. It has all of the cool stuff for setting up sound....., but nothing is mentioned (in the file) for my ftp masquerading module. This is the file that I manually have to set up with the SuSE 6.4 distribution. Oh well, I'll read more about this stuff.

(!) [JimD]
kmod works by intercepting attempts to use device drivers, networking protocols, filesystem types and other resources that might be provided through kernel modules, suspending the process that requested those resources, mapping the requested resource to some provider module and attempting to modprobe that provider. As I've said, modprobe attempts to recursively load each of the modules on which its target depends.

(?) I see.

(!) [JimD]
So, your use of ftp should, normally, have automatically loaded the ip_masq_ftp.o for you.

(?) At least my original suprise is sort of justified. Of course, knowledge reduces stress and surprise. Thanks for the info, Jim. I will do some more reading (heeding your advice, of course), and start my experiments.


This page edited and maintained by the Editors of Linux Gazette Copyright © 2002
Published in issue 76 of Linux Gazette March 2002
HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/


[ Table Of Contents ][ Answer Guy Current Index ] greetings   Meet the Gang   1   2   3   4   5   6   7   8   9   10   11   12 [ Index of Past Answers ]