FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 12-05-2008, 04:35 PM
"Robert L. Harris"
 
Default iptables, ftp and dnat?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Help... I have the following in my firewall startup script:

/sbin/modprobe nf_conntrack_ftp
$IPTABLES -A INPUT -p tcp --dport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT
- --to 10.1.1.32:21
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT
# Active
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT
- --to 10.1.1.32:20
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED
- -j ACCEPT
# Passive
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state
- --state ESTABLISHED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j
DNAT --to 10.1.1.32
$IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state
- --state ESTABLISHED,RELATED -j ACCEPT

I am trying to forward public internet ftp traffic to a machine behind
my firewall. Anyone have
this working? Mine is failing and I have no real debug info to
explain why....

Robert

- --

:wq!
================================================== ==================
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJOWZz8+1vMONE2jsRAiGhAKDegPgFRU+X7CDblJAvkP IemPHu7ACgwJo3
8K6ABSfK+3JJIgFEbK2IsxA=
=kAMe
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-05-2008, 04:52 PM
"S Scharf"
 
Default iptables, ftp and dnat?

On Fri, Dec 5, 2008 at 12:35 PM, Robert L. Harris <robert.l.harris@gmail.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





Help... * I have the following in my firewall startup script:


*
...


I am trying to forward public internet ftp traffic to a machine behind

my firewall. * Anyone have

this working? *Mine is failing and I have no real debug info to

explain why....



Robert



- --



:wq!


Before accusing the firewall, is ip forwarding turned on in /etc/sysctl.con ?

Stuart
 
Old 12-05-2008, 04:54 PM
"S Scharf"
 
Default iptables, ftp and dnat?

On Fri, Dec 5, 2008 at 12:52 PM, S Scharf <ss11223@gmail.com> wrote:



On Fri, Dec 5, 2008 at 12:35 PM, Robert L. Harris <robert.l.harris@gmail.com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





Help... * I have the following in my firewall startup script:


*
...


I am trying to forward public internet ftp traffic to a machine behind

my firewall. * Anyone have

this working? *Mine is failing and I have no real debug info to

explain why....



Robert



- --



:wq!


Before accusing the firewall, is ip forwarding turned on in /etc/sysctl.con ?

Stuart


Oops, that should be /etc/sysctl.conf

Stuart
 
Old 12-05-2008, 05:28 PM
"Robert L. Harris"
 
Default iptables, ftp and dnat?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


yes it is and I am successfully routing port 80/http to a different
server behind the firewall just fine.



S Scharf wrote:
>
>
> On Fri, Dec 5, 2008 at 12:52 PM, S Scharf <ss11223@gmail.com
> <mailto:ss11223@gmail.com>> wrote:
>
>
>
> On Fri, Dec 5, 2008 at 12:35 PM, Robert L. Harris
> <robert.l.harris@gmail.com <mailto:robert.l.harris@gmail.com>>
> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
>
> Help... I have the following in my firewall startup script:
>
>
>
> ...
>
>
> I am trying to forward public internet ftp traffic to a machine
> behind my firewall. Anyone have this working? Mine is failing
> and I have no real debug info to explain why....
>
> Robert
>
> - --
>
> :wq!
>
>
> Before accusing the firewall, is ip forwarding turned on in
> /etc/sysctl.con ?
>
> Stuart
>
>
> Oops, that should be /etc/sysctl.conf
>
> Stuart

- --

:wq!
================================================== ==================
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJOXK+8+1vMONE2jsRArvxAKDPgunJeuJfl51WyeG5Lc w5azIzLQCg2sxW
0MEkOpKxQmhumqy9vEHI/wE=
=6SHP
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-05-2008, 05:53 PM
Alex Samad
 
Default iptables, ftp and dnat?

On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Help... I have the following in my firewall startup script:
>
> /sbin/modprobe nf_conntrack_ftp
> $IPTABLES -A INPUT -p tcp --dport 21 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT
> - --to 10.1.1.32:21
> $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> # Active
> $IPTABLES -A INPUT -p tcp --sport 20 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT
> - --to 10.1.1.32:20
> $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED
> - -j ACCEPT
> # Passive
> $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state
> - --state ESTABLISHED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j
> DNAT --to 10.1.1.32
> $IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state
> - --state ESTABLISHED,RELATED -j ACCEPT

Can I suggest something like this


# one catch all for all related and established connection
# as defined by connection tracking
iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT


iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
10.1.1.32:21

I am not sure if you need the other ports for active as the conn track
module should handle that for you (works on out going not 100% sure on
incoming).

You need the forward statement you could add a -d 10.1.1.32, because the
DNAT makes it a routed packet.

you can test this with tcpdump -pni <interface> -port 21 or host <host
ip>

alex

>
> I am trying to forward public internet ftp traffic to a machine behind
> my firewall. Anyone have
> this working? Mine is failing and I have no real debug info to
> explain why....
>
> Robert
>
> - --
>
> :wq!
> ================================================== ==================
> Robert L. Harris | GPG Key ID: E344DA3B
> @ x-hkp://pgp.mit.edu
> DISCLAIMER:
> These are MY OPINIONS With Dreams To Be A King,
> ALONE. I speak for First One Should Be A Man
> no-one else. - Manowar
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iD8DBQFJOWZz8+1vMONE2jsRAiGhAKDegPgFRU+X7CDblJAvkP IemPHu7ACgwJo3
> 8K6ABSfK+3JJIgFEbK2IsxA=
> =kAMe
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
Darth Vader sleeps with a Teddywookie.
 
Old 12-05-2008, 06:19 PM
Rob de Graaf
 
Default iptables, ftp and dnat?

On Fri, 2008-12-05 at 18:35 +0100, Robert L. Harris wrote:
> From:
> Robert L. Harris
> <robert.l.harris@gmail.com>
> To:
> debian-user@lists.debian.org
> <debian-user@lists.debian.org>
> Subject:
> iptables, ftp and dnat?
> Date:
> Fri, 5 Dec 2008 18:35:47 +0100
> (19:35 EET)

> Help... I have the following in my firewall startup script:

> I am trying to forward public internet ftp traffic to a machine behind
> my firewall. Anyone have
> this working? Mine is failing and I have no real debug info to
> explain why....
>
> Robert

Did you think about that FTP re-connects back?

Hence, use passive FTP:
$ ftp -p some.domain

Best,

Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-05-2008, 07:35 PM
"Robert L. Harris"
 
Default iptables, ftp and dnat?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Alex Samad wrote:
> On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote:
>
> Help... I have the following in my firewall startup script:
>
> /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport
> 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A
> PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to
> 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state
> NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp
> --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES
> -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to
> 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state
> ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport
> 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j
> DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024:
> --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>> Can I suggest something like this
>
>
>> # one catch all for all related and established connection # as
>> defined by connection tracking iptables -I INPUT
>> RELATED,ESTABLISHED -j ACCEPT
>
>
>> iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j
>> ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW
>> -j ACCEPT
>
>> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
>> 10.1.1.32:21
>
>> I am not sure if you need the other ports for active as the conn
>> track module should handle that for you (works on out going not
>> 100% sure on incoming).
>
>> You need the forward statement you could add a -d 10.1.1.32,
> because the
>> DNAT makes it a routed packet.
>
>> you can test this with tcpdump -pni <interface> -port 21 or host
>> <host ip>
>
>> alex
>



Using your rule I get this:

iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED'
Try `iptables -h' or 'iptables --help' for more information.

Commenting it out, everything looks good until after I log in and try
to do an "ls" when it returns:
ftp> ls
227 Entering Passive Mode (10,1,1,32,205,208).

Then nothing.


>>
- --
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>>
>>

- --

:wq!
================================================== ==================
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9Sj AZ1hJocACgzxng
zJ1PCcrv5s6xd2nn+OIizG8=
=LYdZ
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-05-2008, 07:45 PM
Alex Samad
 
Default iptables, ftp and dnat?

On Fri, Dec 05, 2008 at 01:35:25PM -0700, Robert L. Harris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Alex Samad wrote:
> > On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote:
> >
> > Help... I have the following in my firewall startup script:
> >
> > /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport
> > 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A
> > PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to
> > 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state
> > NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp
> > --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES
> > -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to
> > 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state
> > ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport
> > 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j
> > DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024:
> > --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> >> Can I suggest something like this
> >
> >
> >> # one catch all for all related and established connection # as
> >> defined by connection tracking iptables -I INPUT
> >> RELATED,ESTABLISHED -j ACCEPT
> >
> >
> >> iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j
> >> ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW
> >> -j ACCEPT
> >
> >> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> >> 10.1.1.32:21
> >
> >> I am not sure if you need the other ports for active as the conn
> >> track module should handle that for you (works on out going not
> >> 100% sure on incoming).
> >
> >> You need the forward statement you could add a -d 10.1.1.32,
> > because the
> >> DNAT makes it a routed packet.
> >
> >> you can test this with tcpdump -pni <interface> -port 21 or host
> >> <host ip>
> >
> >> alex
> >
>
>
>
> Using your rule I get this:
>
> iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED'
> Try `iptables -h' or 'iptables --help' for more information.

ops early morning emailing forgot the

-m state --state

iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

>
> Commenting it out, everything looks good until after I log in and try
> to do an "ls" when it returns:
> ftp> ls
> 227 Entering Passive Mode (10,1,1,32,205,208).
>
> Then nothing.

you can use 2 methods track it down, tcpdump on the outside and the
inside interface or -j LOG statements to see what is getting
drop/rejected (maybe first try again with the related/establish line
working)

>
>
> >>
> - --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >>
> >>
>
> - --
>
> :wq!
> ================================================== ==================
> Robert L. Harris | GPG Key ID: E344DA3B
> @ x-hkp://pgp.mit.edu
> DISCLAIMER:
> These are MY OPINIONS With Dreams To Be A King,
> ALONE. I speak for First One Should Be A Man
> no-one else. - Manowar
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9Sj AZ1hJocACgzxng
> zJ1PCcrv5s6xd2nn+OIizG8=
> =LYdZ
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"After all, a week ago, there were -- Yasser Arafat was boarded up in his building in Ramallah, a building full of, evidently, German peace protestors and all kinds of people. They're now out. He's now free to show leadership, to lead the world."

- George W. Bush
05/02/2002
Washington, DC
 
Old 12-05-2008, 07:57 PM
Glenn English
 
Default iptables, ftp and dnat?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> Commenting it out, everything looks good until after I log in and try
> to do an "ls" when it returns:
> ftp> ls
> 227 Entering Passive Mode (10,1,1,32,205,208).
>
> Then nothing.

I've configured my ftp server to use a specific, small range of ports
for passive mode data, then poked a hole in the iptables filter for
them. What you're describing sounds like the reason I did that...

- --
Glenn English
ghe@slsware.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk5lckACgkQ04yQfZbbTLbRZACfVLeqhijpDK KrinG7vAJZu8w4
OEMAni9ryKM4Mepy+APl16pZUWokrNY8
=b+z+
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-05-2008, 09:11 PM
Alex Samad
 
Default iptables, ftp and dnat?

Hi

You should try and keep this on list


Alex


On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>

[snip]

>
> I've updated my rules to this:
> # # allow ftpd
> HARVARD="10.1.1.32"
> /sbin/modprobe nf_conntrack_ftp
> # General
> iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
> iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> 10.1.1.32:21
>
> I think I confused myself though, do I need the other rules I had for
> port 20 or will the first INPUT rule
> above cover that?

have a look here http://slacksite.com/other/ftp.html (quick google on
ftp & ports).

It shows you how the ports are used for ftp.

The ftp contrack module that you where loading previous should handle
the "related" ports and allow them through, what I am not sure about is
weather it will handle the dnat'ing of those port. But then again you
could specify passive ftp only

here is another link
http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again google).


My strength is in itables not ftp (which is the reason for googling )

Also anything to do with iptables and firewalls you should probably read
a tutorial on iptables


>
> Thank you for your help, I've not done anything this complex with
> iptables before.
>
> Robert
>
>
> :wq!
> ================================================== ==================
> Robert L. Harris | GPG Key ID: E344DA3B
> @ x-hkp://pgp.mit.edu
> DISCLAIMER:
> These are MY OPINIONS With Dreams To Be A King,
> ALONE. I speak for First One Should Be A Man
> no-one else. - Manowar
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iD8DBQFJOZp28+1vMONE2jsRAgqcAJoD1OSBDcvPq2K7GL6Ym4 xHBDRaNQCgo8WJ
> ExmTlAt0/odRCTgtkimlF/E=
> =TiTI
> -----END PGP SIGNATURE-----
>
>

--
"Obviously, I pray every day there's less casualty."

- George W. Bush
04/11/2004
Fort Hood, TX
 

Thread Tools




All times are GMT. The time now is 01:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org