[brlug-general] IIS 6.0 PASV ftp through NAT

Tim Fournet tfournet at tfour.net
Wed Jun 21 11:16:00 CDT 2006 

there's a kernel module that should take care of this for you.  modprobe iptable_nat_ftp (if I remember right) on the smoothwall box and your connections should be fine
-----------------------
Sent with ChatterEmail+
True push email for the Treo Smartphone
http://get.chatteremail.com

-----Original Message-----
From: "James Kuhns" <james at kuhns-la.com>
Date: Wednesday, Jun 21, 2006 11:03 am
Subject: [brlug-general] IIS 6.0 PASV ftp through NAT

Ok, I may be dreaming but this is what I'm wanting to do...

I have a problem here where I have an IIS 6.0 ftp server sitting in my local network (192.168.xxx.xxx address).  I have a firewall/router NATTing for machines in the local network (Smoothwall Express 2.0, red/green).  I have the ftp command channel port and the PASV ports that MS will return
forwarded to the IIS box.

The problem is that MS' IIS 6.0 ftp server refuses to work in anything except for PASV mode - not a bad thing by itself - but since PASV mode returns the address of the interface it received the connection on, the NATTing gets in the way. i.e. if an outside client connects to the external address port zzz for ftp and issues a PASV command the server responds with
'227 Entering Passive Mode (192, 168, xxx, xxx, yyy, yyy)', since
192.168.xxx.xxx is not accessible from outside the connection fails.

What I'm considering doing is to use the Smoothwall box to rewrite the '227 Entering Passive Mod (192, 168, xxx, xxx, yyy, yyy)' reply to '227 Entering Passive Mode (<external address here>, yyy, yyy)'.  Since snort is already on the Smoothwall box I can use a rule to detect the string  but I'm not sure how I would go about doing the rewrite as the only action I can find that snort will take is to drop/send the packet and then log the fact that it detected it.  Does anyone know of any add-ons to snort that will do a rewrite like this? Or did I miss something and snort can handle this
natively?  I've found a few things that are external to snort that will do this rewrite (tripp is one), but I can't find any way to make snort call them via a rule.

Any other work-around suggestions would be greatly appreciated.

Thanks,

James


_______________________________________________
General mailing list
General at brlug.net
http://brlug.net/mailman/listinfo/general_brlug.net

More information about the General mailing list