LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 10-15-2004, 03:37 AM   #1
tomammon
LQ Newbie
 
Registered: Jun 2004
Posts: 6

Rep: Reputation: 0
FTP port forwarding


Hello,

I have a Slack 9.1 webserver sitting behind a Slack 9.1 firewall. The firewall is running iptables with a pretty sophisticated set of chains (I didn't design them). I recently modified the firewall rules to forward all port 80 traffic from the outside through the firewall and to the router. It works great.

Now, I would like to do the same thing with FTP, but it is not working. Below are my iptables rules. Is it possible to forward both port 21 and 22, or could it work in passive mode? Any help is appreciated.


IPTABLES rules

# Generated by iptables-save v1.2.8 on Tue Sep 21 05:32:59 2004
*nat
:PREROUTING ACCEPT [71:36452]
:POSTROUTING ACCEPT [4:300]
:OUTPUT ACCEPT [4:326]
-A PREROUTING -d 192.168.0.7 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.20:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Sep 21 05:32:59 2004
# Generated by iptables-save v1.2.8 on Tue Sep 21 05:32:59 2004
*filter
:INPUT DROP [22:1584]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_packets
-A INPUT -i eth0 -p udp -j udp_packets
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.20 -i eth0 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp_packets -p tcp -m state --state NEW -m tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
-A tcp_packets -p tcp -m tcp --dport 20:21 -j allowed
-A udp_packets -s 192.168.0.0/255.255.255.0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_packets -i eth0 -p udp -m udp --dport 135:139 -j DROP
-A udp_packets -d 255.255.255.255 -i eth0 -p udp -m udp --dport 67:68 -j DROP
COMMIT
# Completed on Tue Sep 21 05:32:59 2004


Thanks,

Tom
 
Old 10-15-2004, 07:49 AM   #2
Demonbane
Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
In most cases you want the clients to use Passive mode, because you have no control over client's firewall which may or may not properly allow Active mode.
In order for Passive mode to work, you need to map port 21 as well as passive ports you specify in your FTP daemon, which by default uses random >1024 ports.

In Proftpd you can use for example:
PassivePorts 40000 40100

The equivalent in vsftpd:
pasv_min_port=40000
pasv_max_port=40100

then you map port 21 as well as port 40000-40100, assuming 192.168.1.20 is the ftp server:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 40000:40100 -j DNAT --to-destination 192.168.1.20

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination 192.168.1.20

As for active mode you only need to load "ip_nat_ftp" module and allow outgoing traffic from your port 20, but as mentioned previously it may or may not work(should work in most cases though) depending on the client firewall.

Last edited by Demonbane; 10-15-2004 at 07:52 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 01:08 PM
port forwarding using iptables (ftp) spank Linux - Newbie 3 01-20-2004 07:14 AM
Problem With FTP and Maybe Port forwarding ComFox Linux - Networking 1 09-19-2002 11:16 PM
ftp and ftp port forwarding with IPtables?? FunkFlex Linux - Security 3 04-24-2002 04:03 AM


All times are GMT -5. The time now is 06:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration