Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   vsFTP and shorewall (http://www.linux-archive.org/centos/707760-vsftp-shorewall.html)

muiz 09-27-2012 08:58 AM

vsFTP and shorewall
 
Dear all,


Dear support and users:
Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check?
I cannot login both SSH 2222 and ftp!
Below is my environment: (attachment is shorewall dump)


1. Gateway (FC6)
1.1) eth0: lan static IP: 192.168.1.20
1.2) eth1: external public static IP: 113.89.142.80
2.3) Shorewall-3.2.8 is running


2. FTP Server: (Centos63, iptables and selinux are off)
2.1) eth0: lan static IP: 192.168.1.231
2.2) Open SSH port 22 and FTP port 20, 21 already (tested)
2.3) vsftp.conf : use default settings and it works for internal users


3. I want to forward internet access FTP and SSH to FTP Server:
3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP)
3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP)
3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)


4. Shorewall settings:
4.1 interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 113.89.142.255 norfc1918,arp_filte
lan eth0 detect arp_filter
ovpn tun0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
4.2 zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
lan ipv4
ovpn ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
4.3 policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw all ACCEPT
lan net ACCEPT
lan fw ACCEPT
lan ovpn ACCEPT
ovpn lan ACCEPT
net all DROP
all all REJECT
#LAST LINE -- DO NOT REMOVE
4.4 rules
#SECTION RELATED
SECTION NEW
ACCEPT all fw tcp ftp <<< it works for local FTP service (tested)
ACCEPT all fw udp ftp <<< it works for local FTP service
ACCEPT all fw tcp 2222
ACCEPT all fw tcp ssh,domain
Ping/ACCEPT net fw
ACCEPT all fw tcp 5222
ACCEPT all fw udp 5222
ACCEPT:info all $FW tcp 22
DNAT net lan:192.168.1.231 tcp 21
DNAT net lan:192.168.1.231 udp 20
DNAT net lan:192.168.1.231:22 tcp 2222
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


5. # cat /proc/sys/net/ipv4/ip_forward
1


6. more /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp"


Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
3 156 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.1.231
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:20 to:192.168.1.231
5 260 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 to:192.168.1.231:22


do you know what's wrong?


Thanks and best regards!
Muiz

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Leon Fauster 09-27-2012 09:37 AM

vsFTP and shorewall
 
Am 27.09.2012 um 10:58 schrieb muiz:

> Dear support and users:
> Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check?
> I cannot login both SSH 2222 and ftp!
> Below is my environment: (attachment is shorewall dump)



what about the shorewall mailing list?

--
LF



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

John Doe 09-27-2012 01:51 PM

vsFTP and shorewall
 
From: muiz <muiz@163.com>

> * Sorry to trouble you! I configure the shorewall firewall to forward ftp and
> ssh port to another server, but failed. Can you help me check?
> * I cannot login both SSH 2222 and ftp!

http://www.shorewall.net/FAQ.htm#faq1a

JD
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

09-28-2012 05:51 AM

vsFTP and shorewall
 
thanks very much. JD
I study this FAQ 1a/1b before. but still failed:(


在 2012-09-27 21:51:32,"John Doe" <jdmls@yahoo.com> 写道:
>From: muiz <muiz@163.com>
>
>> * Sorry to trouble you! I configure the shorewall firewall to forward ftp and
>> ssh port to another server, but failed. Can you help me check?
>> * I cannot login both SSH 2222 and ftp!
>
>http://www.shorewall.net/FAQ.htm#faq1a
>
>JD
>_______________________________________________
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Gordon Messmer 09-29-2012 09:18 PM

vsFTP and shorewall
 
On 09/27/2012 01:58 AM, muiz wrote:
> 1. Gateway (FC6)
> 1.1) eth0: lan static IP: 192.168.1.20
> 1.2) eth1: external public static IP: 113.89.142.80
> 2.3) Shorewall-3.2.8 is running

This is extremely old, and you are allowing access to SSH and DNS
services on the firewall itself. ISC Bind, at least, has security
problems that should be patched. I strongly recommend that you upgrade
this system.

> 3. I want to forward internet access FTP and SSH to FTP Server:
> 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP)
> 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP)
> 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)

One: FTP doesn't use UDP, regardless of what you see in the services
file. You don't need to forward UDP.

Two: Port 20 is used for outbound connections from an active mode FTP
server. You don't need to forward port 20 in to your server, ever.

> 4. Shorewall settings:
> 4.1 interfaces
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth1 113.89.142.255 norfc1918,arp_filte
> lan eth0 detect arp_filter
> ovpn tun0 -
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Although it doesn't make much difference, you typically don't need to
specify your broadcast address.

> 4.4 rules
> #SECTION RELATED
> SECTION NEW
> ACCEPT all fw tcp ftp <<< it works for local FTP service (tested)
> ACCEPT all fw udp ftp <<< it works for local FTP service
> ACCEPT all fw tcp 2222
> ACCEPT all fw tcp ssh,domain
> Ping/ACCEPT net fw
> ACCEPT all fw tcp 5222
> ACCEPT all fw udp 5222
> ACCEPT:info all $FW tcp 22
> DNAT net lan:192.168.1.231 tcp 21
> DNAT net lan:192.168.1.231 udp 20
> DNAT net lan:192.168.1.231:22 tcp 2222
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Your ACCEPT rules are blocking your DNAT rules. They're not needed.

I've never actually seen the Ping/ACCEPT syntax before, so I'm going to
assume that entry is correct. It doesn't exist in Shorewall 4+.

Your rules should contain only this (assuming you're actually running an
XMPP server on your firewall):

Ping/ACCEPT net fw
ACCEPT:info all fw tcp 22
ACCEPT all fw tcp domain
ACCEPT all fw udp domain
ACCEPT all fw tcp 5222
DNAT net lan:192.168.1.231 tcp 21
DNAT net lan:192.168.1.231:22 tcp 2222

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

muiz 09-30-2012 02:26 PM

vsFTP and shorewall
 
Thanks very much!
I modified the shorewall settings, but still cannot forward those ports.

Now I'm open the port 2121 and 2222 on shorewall, then use "rinetd" to forward TCP request:
Gateway 2222 -> 192.168.1.231:22
Gateway 2121 -> 192.168.1.231:21
Gateway 6000 - 6010-> 192.168.1.231:6000 - 6010
Both SSH and FTP works.

I will upgrade the system to CentOS 6.3 next month.


At 2012-09-30 05:18:34,"Gordon Messmer" <yinyang@eburg.com> wrote:
>On 09/27/2012 01:58 AM, muiz wrote:
>> 1. Gateway (FC6)
>> 1.1) eth0: lan static IP: 192.168.1.20
>> 1.2) eth1: external public static IP: 113.89.142.80
>> 2.3) Shorewall-3.2.8 is running
>
>This is extremely old, and you are allowing access to SSH and DNS
>services on the firewall itself. ISC Bind, at least, has security
>problems that should be patched. I strongly recommend that you upgrade
>this system.
>
>> 3. I want to forward internet access FTP and SSH to FTP Server:
>> 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP)
>> 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP)
>> 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)
>
>One: FTP doesn't use UDP, regardless of what you see in the services
>file. You don't need to forward UDP.
>
>Two: Port 20 is used for outbound connections from an active mode FTP
>server. You don't need to forward port 20 in to your server, ever.
>
>> 4. Shorewall settings:
>> 4.1 interfaces
>> #ZONE INTERFACE BROADCAST OPTIONS
>> net eth1 113.89.142.255 norfc1918,arp_filte
>> lan eth0 detect arp_filter
>> ovpn tun0 -
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>Although it doesn't make much difference, you typically don't need to
>specify your broadcast address.
>
>> 4.4 rules
>> #SECTION RELATED
>> SECTION NEW
>> ACCEPT all fw tcp ftp <<< it works for local FTP service (tested)
>> ACCEPT all fw udp ftp <<< it works for local FTP service
>> ACCEPT all fw tcp 2222
>> ACCEPT all fw tcp ssh,domain
>> Ping/ACCEPT net fw
>> ACCEPT all fw tcp 5222
>> ACCEPT all fw udp 5222
>> ACCEPT:info all $FW tcp 22
>> DNAT net lan:192.168.1.231 tcp 21
>> DNAT net lan:192.168.1.231 udp 20
>> DNAT net lan:192.168.1.231:22 tcp 2222
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>Your ACCEPT rules are blocking your DNAT rules. They're not needed.
>
>I've never actually seen the Ping/ACCEPT syntax before, so I'm going to
>assume that entry is correct. It doesn't exist in Shorewall 4+.
>
>Your rules should contain only this (assuming you're actually running an
>XMPP server on your firewall):
>
>Ping/ACCEPT net fw
>ACCEPT:info all fw tcp 22
>ACCEPT all fw tcp domain
>ACCEPT all fw udp domain
>ACCEPT all fw tcp 5222
>DNAT net lan:192.168.1.231 tcp 21
>DNAT net lan:192.168.1.231:22 tcp 2222
>
>_______________________________________________
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 12:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.