LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-11-2007, 10:53 PM   #1
boToo
Member
 
Registered: Aug 2003
Distribution: Kubuntu
Posts: 49

Rep: Reputation: 15
DNATing ftp server with iptables


Hi all,
My apologies if that has been answered. It has been more than long half day to get my ftp server working. But no luck yet. here what my setup is,

internet--->linux router--->ftpserver(FileZilla on Windows XP) and someother PCs.

if you asked why dont i run ftp server on linux, I have ispconfig with http,email and other services running on linux box. the ftp server on windoes is just general purposes, not critical one.
the below command was done for ftp DNAT with no luck.
$IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20:21 -j DNAT --to 192.168.1.3
I can access ftp server on XP in LAN, but not from outside world. Below is my iptables .
########################iptables config########################
#!/bin/bash

IPT="/sbin/iptables"
LOADMOD="/sbin/modprobe"
###########################################################################
#
# Internet Configuration.
#
INET_IFACE="ppp0"
INET_IP="X.X.X.X"
NAMESERVER_1="203.X.X.X"
NAMESERVER_2="203.X.X.1"

###########################################################################
#
# Local Area Network configuration.
#
LAN_IFACE="eth0"
LAN_IP="192.168.1.1"
LAN_BCAST_ADD="192.168.1.255"
LAN_IPRANGE="192.168.1.0/24"

###########################################################################
#
# Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"

############ Begin the NAT table operations #####################

#Flash all rules in the NAT table
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X #deletes every non-builtin chain in the table

#load modules for ftp
$LOADMOD ip_nat_ftp

#enable ip_forward
echo 1 >> /proc/sys/net/ipv4/ip_forward
#echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_all

###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
#
$IPT -P INPUT ACCEPT #DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

#
# Do some checks for obviously spoofed IP's
#
$IPT -A INPUT -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPT -A INPUT -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#blocking Yan Naung computer mac address
#iptables -A FORWARD -i eth0 -m mac --mac-source 00:16:e6:d7:04:92 -j LOG --log-prefix xxxxx
#iptables -A FORWARD -i eth0 -m mac --mac-source 00:16:e6:d7:04:92 -j DROP

##############################################################################
#
#ALLOWING PARTS
#

#
# Rules for special networks not part of the Internet
#
$IPT -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADD -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IPRANGE -j ACCEPT

#allow DNS request
$IPT -t nat -A POSTROUTING -o $INET_IFACE -d $NAMESERVER_1 -p UDP --dport 53 -j SNAT --to X.X.X.X
$IPT -t nat -A POSTROUTING -o $INET_IFACE -d $NAMESERVER_2 -p UDP --dport 53 -j SNAT --to X.X.X.X

#allow ping
$IPT -A INPUT -p ICMP -j ACCEPT

#allow SSH
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT

#allow WEB server, Email server, ISPCONFIG
#iptables -t nat -A PREROUTING -i $IFACE -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1
$IPT -A INPUT -p tcp --dport 80:81 -j ACCEPT
$IPT -A INPUT -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT

#allow ASTERISK VOIP Server
$IPT -A INPUT -p tcp --dport 5060:5061 -j ACCEPT
$IPT -A INPUT -p udp --dport 5060:5061 -j ACCEPT
$IPT -A INPUT -p udp --dport 10000:20000 -j ACCEPT
$IPT -A FORWARD -o $INET_IFACE -p udp --dport 5060:5061 -j ACCEPT
$IPT -A FORWARD -o $INET_IFACE -p tcp --dport 5060:5061 -j ACCEPT
$IPT -A FORWARD -o $INET_IFACE -p udp --dport 10000:20000 -j ACCEPT

#allow ftp server at 192.168.1.3**************************************
$IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20:21 -j DNAT --to 192.168.1.3

#allow already establashed connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow forward any related/establashed packets from $INET_IFACE to LAN
$IPT -A FORWARD -i $INET_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow any outputs from LAN
$IPT -A INPUT -m state --state NEW -i ! $INET_IFACE -j ACCEPT
#allow forward anything from LAN to INTERNET
$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT

#################avoid looping############################
$IPT -A FORWARD -i $INET_IFACE -o $INET_IFACE -j REJECT

#SNAT/MASQUEADE to INTERNET
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to X.X.X.X
 
Old 09-11-2007, 11:36 PM   #2
soroccoheaven
Member
 
Registered: Jul 2007
Distribution: mandrake Mandriva Redhat CentOS Slackware
Posts: 221

Rep: Reputation: 30
disable/flush you firewall and see the port status 21 you can use nmap from linux box and try again ...
 
Old 09-12-2007, 12:10 AM   #3
boToo
Member
 
Registered: Aug 2003
Distribution: Kubuntu
Posts: 49

Original Poster
Rep: Reputation: 15
Hummm,
strange, when i nmap, I dont even see port 21 there, that's what i got, when nmaped, nmap is done from another computer.any ideas??

PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
81/tcp open hosts2-ns
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
833/tcp open unknown
901/tcp open samba-swat
993/tcp open imaps
995/tcp open pop3s
2000/tcp open callbook
3306/tcp open mysql
 
Old 09-12-2007, 11:13 PM   #4
soroccoheaven
Member
 
Registered: Jul 2007
Distribution: mandrake Mandriva Redhat CentOS Slackware
Posts: 221

Rep: Reputation: 30
Is you ftp running ?..check/recheck and restart see the /var/log/messages after restarting it.
 
Old 09-13-2007, 01:23 AM   #5
chlee97
Member
 
Registered: Sep 2007
Posts: 30

Rep: Reputation: 15
you better try to nmap your windows based server first, it is to know that the FTP service is available in that server.


$IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20:21 -j DNAT --to 192.168.1.3

normally i just only allow port 21 to be forwarded into internal server and it works for my network, try remove port 20.


then try below command at your firewall ...

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
 
Old 09-13-2007, 06:42 AM   #6
boToo
Member
 
Registered: Aug 2003
Distribution: Kubuntu
Posts: 49

Original Poster
Rep: Reputation: 15
Hi
thanks for replies, the ftp server can be connected inside LAN, it just seems iptables is not DNATing it. I need to fiddle around a bit more, I guess.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp server + iptables ddaas Linux - Security 14 03-27-2006 09:46 AM
dnating irc server jelgavchik Linux - Networking 1 01-19-2005 11:11 AM
IpTables DNating LostAgain Linux - Networking 27 09-29-2004 10:25 AM
FTP server w/ IPTables clergykid Linux - Security 2 02-09-2003 02:49 PM
iptables router with ftp server bbenz3 Linux - Networking 6 02-26-2002 11:45 AM


All times are GMT -5. The time now is 01:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration