iptables, ftp and dnat?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Help... I have the following in my firewall startup script: /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT - --to 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT - --to 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED - -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state - --state ESTABLISHED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state - --state ESTABLISHED,RELATED -j ACCEPT I am trying to forward public internet ftp traffic to a machine behind my firewall. Anyone have this working? Mine is failing and I have no real debug info to explain why.... Robert - -- :wq! ================================================== ================== Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOWZz8+1vMONE2jsRAiGhAKDegPgFRU+X7CDblJAvkP IemPHu7ACgwJo3 8K6ABSfK+3JJIgFEbK2IsxA= =kAMe -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
iptables, ftp and dnat?
On Fri, Dec 5, 2008 at 12:35 PM, Robert L. Harris <robert.l.harris@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Help... * I have the following in my firewall startup script: * ... I am trying to forward public internet ftp traffic to a machine behind my firewall. * Anyone have this working? *Mine is failing and I have no real debug info to explain why.... Robert - -- :wq! Before accusing the firewall, is ip forwarding turned on in /etc/sysctl.con ? Stuart |
iptables, ftp and dnat?
On Fri, Dec 5, 2008 at 12:52 PM, S Scharf <ss11223@gmail.com> wrote:
On Fri, Dec 5, 2008 at 12:35 PM, Robert L. Harris <robert.l.harris@gmail.com> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Help... * I have the following in my firewall startup script: * ... I am trying to forward public internet ftp traffic to a machine behind my firewall. * Anyone have this working? *Mine is failing and I have no real debug info to explain why.... Robert - -- :wq! Before accusing the firewall, is ip forwarding turned on in /etc/sysctl.con ? Stuart Oops, that should be /etc/sysctl.conf Stuart |
iptables, ftp and dnat?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 yes it is and I am successfully routing port 80/http to a different server behind the firewall just fine. S Scharf wrote: > > > On Fri, Dec 5, 2008 at 12:52 PM, S Scharf <ss11223@gmail.com > <mailto:ss11223@gmail.com>> wrote: > > > > On Fri, Dec 5, 2008 at 12:35 PM, Robert L. Harris > <robert.l.harris@gmail.com <mailto:robert.l.harris@gmail.com>> > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > Help... I have the following in my firewall startup script: > > > > ... > > > I am trying to forward public internet ftp traffic to a machine > behind my firewall. Anyone have this working? Mine is failing > and I have no real debug info to explain why.... > > Robert > > - -- > > :wq! > > > Before accusing the firewall, is ip forwarding turned on in > /etc/sysctl.con ? > > Stuart > > > Oops, that should be /etc/sysctl.conf > > Stuart - -- :wq! ================================================== ================== Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOXK+8+1vMONE2jsRArvxAKDPgunJeuJfl51WyeG5Lc w5azIzLQCg2sxW 0MEkOpKxQmhumqy9vEHI/wE= =6SHP -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
iptables, ftp and dnat?
On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Help... I have the following in my firewall startup script: > > /sbin/modprobe nf_conntrack_ftp > $IPTABLES -A INPUT -p tcp --dport 21 -m state --state > NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT > - --to 10.1.1.32:21 > $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state > NEW,ESTABLISHED -j ACCEPT > # Active > $IPTABLES -A INPUT -p tcp --sport 20 -m state --state > ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT > - --to 10.1.1.32:20 > $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED > - -j ACCEPT > # Passive > $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state > - --state ESTABLISHED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j > DNAT --to 10.1.1.32 > $IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state > - --state ESTABLISHED,RELATED -j ACCEPT Can I suggest something like this # one catch all for all related and established connection # as defined by connection tracking iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21 I am not sure if you need the other ports for active as the conn track module should handle that for you (works on out going not 100% sure on incoming). You need the forward statement you could add a -d 10.1.1.32, because the DNAT makes it a routed packet. you can test this with tcpdump -pni <interface> -port 21 or host <host ip> alex > > I am trying to forward public internet ftp traffic to a machine behind > my firewall. Anyone have > this working? Mine is failing and I have no real debug info to > explain why.... > > Robert > > - -- > > :wq! > ================================================== ================== > Robert L. Harris | GPG Key ID: E344DA3B > @ x-hkp://pgp.mit.edu > DISCLAIMER: > These are MY OPINIONS With Dreams To Be A King, > ALONE. I speak for First One Should Be A Man > no-one else. - Manowar > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iD8DBQFJOWZz8+1vMONE2jsRAiGhAKDegPgFRU+X7CDblJAvkP IemPHu7ACgwJo3 > 8K6ABSfK+3JJIgFEbK2IsxA= > =kAMe > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > -- Darth Vader sleeps with a Teddywookie. |
iptables, ftp and dnat?
On Fri, 2008-12-05 at 18:35 +0100, Robert L. Harris wrote:
> From: > Robert L. Harris > <robert.l.harris@gmail.com> > To: > debian-user@lists.debian.org > <debian-user@lists.debian.org> > Subject: > iptables, ftp and dnat? > Date: > Fri, 5 Dec 2008 18:35:47 +0100 > (19:35 EET) > Help... I have the following in my firewall startup script: > I am trying to forward public internet ftp traffic to a machine behind > my firewall. Anyone have > this working? Mine is failing and I have no real debug info to > explain why.... > > Robert Did you think about that FTP re-connects back? Hence, use passive FTP: $ ftp -p some.domain Best, Rob -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
iptables, ftp and dnat?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Alex Samad wrote: > On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote: > > Help... I have the following in my firewall startup script: > > /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport > 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A > PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to > 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state > NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp > --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES > -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to > 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state > ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport > 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j > DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024: > --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT > >> Can I suggest something like this > > >> # one catch all for all related and established connection # as >> defined by connection tracking iptables -I INPUT >> RELATED,ESTABLISHED -j ACCEPT > > >> iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j >> ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW >> -j ACCEPT > >> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to >> 10.1.1.32:21 > >> I am not sure if you need the other ports for active as the conn >> track module should handle that for you (works on out going not >> 100% sure on incoming). > >> You need the forward statement you could add a -d 10.1.1.32, > because the >> DNAT makes it a routed packet. > >> you can test this with tcpdump -pni <interface> -port 21 or host >> <host ip> > >> alex > Using your rule I get this: iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' Try `iptables -h' or 'iptables --help' for more information. Commenting it out, everything looks good until after I log in and try to do an "ls" when it returns: ftp> ls 227 Entering Passive Mode (10,1,1,32,205,208). Then nothing. >> - -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org >> >> - -- :wq! ================================================== ================== Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9Sj AZ1hJocACgzxng zJ1PCcrv5s6xd2nn+OIizG8= =LYdZ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
iptables, ftp and dnat?
On Fri, Dec 05, 2008 at 01:35:25PM -0700, Robert L. Harris wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Samad wrote: > > On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote: > > > > Help... I have the following in my firewall startup script: > > > > /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport > > 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A > > PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to > > 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state > > NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp > > --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES > > -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to > > 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state > > ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport > > 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT > > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j > > DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024: > > --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT > > > >> Can I suggest something like this > > > > > >> # one catch all for all related and established connection # as > >> defined by connection tracking iptables -I INPUT > >> RELATED,ESTABLISHED -j ACCEPT > > > > > >> iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j > >> ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW > >> -j ACCEPT > > > >> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to > >> 10.1.1.32:21 > > > >> I am not sure if you need the other ports for active as the conn > >> track module should handle that for you (works on out going not > >> 100% sure on incoming). > > > >> You need the forward statement you could add a -d 10.1.1.32, > > because the > >> DNAT makes it a routed packet. > > > >> you can test this with tcpdump -pni <interface> -port 21 or host > >> <host ip> > > > >> alex > > > > > > Using your rule I get this: > > iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' > Try `iptables -h' or 'iptables --help' for more information. ops early morning emailing forgot the -m state --state iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > Commenting it out, everything looks good until after I log in and try > to do an "ls" when it returns: > ftp> ls > 227 Entering Passive Mode (10,1,1,32,205,208). > > Then nothing. you can use 2 methods track it down, tcpdump on the outside and the inside interface or -j LOG statements to see what is getting drop/rejected (maybe first try again with the related/establish line working) > > > >> > - -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmaster@lists.debian.org > >> > >> > > - -- > > :wq! > ================================================== ================== > Robert L. Harris | GPG Key ID: E344DA3B > @ x-hkp://pgp.mit.edu > DISCLAIMER: > These are MY OPINIONS With Dreams To Be A King, > ALONE. I speak for First One Should Be A Man > no-one else. - Manowar > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9Sj AZ1hJocACgzxng > zJ1PCcrv5s6xd2nn+OIizG8= > =LYdZ > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > -- "After all, a week ago, there were -- Yasser Arafat was boarded up in his building in Ramallah, a building full of, evidently, German peace protestors and all kinds of people. They're now out. He's now free to show leadership, to lead the world." - George W. Bush 05/02/2002 Washington, DC |
iptables, ftp and dnat?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 >> iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > Commenting it out, everything looks good until after I log in and try > to do an "ls" when it returns: > ftp> ls > 227 Entering Passive Mode (10,1,1,32,205,208). > > Then nothing. I've configured my ftp server to use a specific, small range of ports for passive mode data, then poked a hole in the iptables filter for them. What you're describing sounds like the reason I did that... - -- Glenn English ghe@slsware.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk5lckACgkQ04yQfZbbTLbRZACfVLeqhijpDK KrinG7vAJZu8w4 OEMAni9ryKM4Mepy+APl16pZUWokrNY8 =b+z+ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
iptables, ftp and dnat?
Hi
You should try and keep this on list Alex On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > [snip] > > I've updated my rules to this: > # # allow ftpd > HARVARD="10.1.1.32" > /sbin/modprobe nf_conntrack_ftp > # General > iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT > iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT > iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to > 10.1.1.32:21 > > I think I confused myself though, do I need the other rules I had for > port 20 or will the first INPUT rule > above cover that? have a look here http://slacksite.com/other/ftp.html (quick google on ftp & ports). It shows you how the ports are used for ftp. The ftp contrack module that you where loading previous should handle the "related" ports and allow them through, what I am not sure about is weather it will handle the dnat'ing of those port. But then again you could specify passive ftp only here is another link http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again google). My strength is in itables not ftp (which is the reason for googling :) ) Also anything to do with iptables and firewalls you should probably read a tutorial on iptables > > Thank you for your help, I've not done anything this complex with > iptables before. > > Robert > > > :wq! > ================================================== ================== > Robert L. Harris | GPG Key ID: E344DA3B > @ x-hkp://pgp.mit.edu > DISCLAIMER: > These are MY OPINIONS With Dreams To Be A King, > ALONE. I speak for First One Should Be A Man > no-one else. - Manowar > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iD8DBQFJOZp28+1vMONE2jsRAgqcAJoD1OSBDcvPq2K7GL6Ym4 xHBDRaNQCgo8WJ > ExmTlAt0/odRCTgtkimlF/E= > =TiTI > -----END PGP SIGNATURE----- > > -- "Obviously, I pray every day there's less casualty." - George W. Bush 04/11/2004 Fort Hood, TX |
| All times are GMT. The time now is 04:21 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.