LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables and ftp problem (http://www.linuxquestions.org/questions/linux-networking-3/iptables-and-ftp-problem-452689/)

nesargha 06-08-2006 03:25 AM

iptables and ftp problem
 
hi guys,
i have writen a script for firewall(to make squid as transperent proxy) based on serching the web,the script is as follows :

-------------
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
# if it is same system
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

-------------------------------------

now squid is working as transparent proxy and localy on the network people are able to browse internet and do ftp for the local site(on the server) and other ftps on the internet.

but there are two problems
1) people outside our network ( we have branch office in another city) are not able to ftp into our server

our server has two ethernet card one connected to lan and other to the internet
ie. eth0 192.168.0.1 lan
eth1 static ip (given by the isp) internet

2) the second problem is that whole lot of text like
IN=eth0 OUT= MAC=00... SRC=196.68.45.123 DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).

can anyone please help me out in solving this problem.

Notwerk 06-08-2006 04:29 AM

Ehem...

plz make sure of the information you provided regarding which interface is connect to what network:

Quote:

# unlimited access to LAN
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
Quote:

ie. eth0 192.168.0.1 lan
eth1 static ip (given by the isp) internet
Since you say that everything is running fine on the internal network, i'll take the risk of assuming that you got the interfaces mixed up and eth0 is actually connected to the internet while eth1 is connected to your LAN.

Based on this assumption here's how to go about it:
You just need to add the proper rule to allow users OUTSIDE your network to connect to the ftp service.

If the service is running on the same machine which is acting as a firewall then something like:
Code:

#iptables -A INPUT -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT
If the service is on a different machine you'll need something closer to:
Code:

#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination [ip-of-ftp-server]:21
#iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT

This will open port 21 (ftp service) to all users from the internet. So if you need a secure ftp service try and look into vsftpd [$man vsftpd] which can be configured for username/password or key-based authentication.

nesargha 06-09-2006 08:43 AM

thank you Notwerk,
your solution worked for me, people are able to ftp into our server, but the second problem still exist and its too much annoying to work in text mode.
---------------------
second problem is that whole lot of text like
IN=eth0 OUT= MAC=00... SRC=196.68.45.123 DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).
----------------------
can you tell what might be the problem and where i have gone worng.

once again thank you for ur advice, it helped me lot

jjluis 09-07-2006 06:16 AM

Quote:

Originally Posted by Notwerk
Code:

#iptables -A INPUT -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT
If the service is on a different machine you'll need something closer to:
Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination [ip-of-ftp-server]:21
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT

This will open port 21 (ftp service) to all users from the internet. So if you need a secure ftp service try and look into vsftpd [$man vsftpd] which can be configured for username/password or key-based authentication.

I have the same problem but The above code ddin't work for me in fedora core 5
Here is my script:
Code:

iptables --flush
iptables --table nat --flush
iptables --append FORWARD --in-interface eth0 -j  ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination [$FTP_ADDRESS]:21
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT

any ideas?

Notwerk 09-07-2006 09:13 AM

jjluis

Could you provide more details. Is that the complete script you're using or just a piece of it?

Also, is the [$FTP_ADDRESS] inside your network (reachable through eth0) or is it outside (reachable through eth1)?

jjluis 09-07-2006 10:51 AM

RE: More details
 
Hi, this was my complete script. [$FTP_ADDRESS]is reachable from eth0 (Ip 192.168.x.x).

This is how actually I have got it:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --append FORWARD --in-interface eth0 -j  ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --table nat --append PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to [$FTP_ADDRESS]:21
iptables --table nat --append POSTROUTING -o eth0 -p tcp --dport 21 -j SNAT --to [$DNS_INTRANET_IP]

and what I want to do is since I have the DNS with bind there (the global DNS) and ftp.server.com points to the DNS server I want it to redirect ftp.server.com to [$FTP_ADDRESS].

I have routed successfully in red hat 9 but here it does not seems to work. (I have a DSL modem, so the router is the Linux Box.

Any ideas?

Thanks for your help

Notwerk 09-07-2006 04:49 PM

It looks fine to me. The only thing missing is allowing FORWARDing in the other direction :)

something like this should help:
Code:

#iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT

jjluis 09-07-2006 06:22 PM

Quote:

Originally Posted by Notwerk
It looks fine to me. The only thing missing is allowing FORWARDing in the other direction :)

something like this should help:
Code:

#iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT

Good. :)

Now I can route any port I use. But ... I have a problem with the FTP ... I did not mention before because I was not able to route anything so I supposed it was some kind of iptables related problem... I have fedora core 5 running at level 5. an uname -r command returns 2.6.17-1.2174_FC5.

Just before moving the FTP to another machine I ran it in the Linux box itself (I used vsftpd) and I could not access it from outside the network... nor can I now... even doing a /etc/init.d/iptables stop ... Nmap returns the port 21 TCP as FILTERED from outside the network. Does anyone know if some sneaky feature like the so called "Secure Linux" prevents the access to a FTP from extern source by default? I mean I know I can route because I open services in other machines and I can connect to their sockets throw Linux while their services are started. Has anyone heard something like this?

Thanks for your help :)

PS: I'm sorry being so extended.

Notwerk 09-08-2006 03:44 AM

Could you post more details about the FTP problem in the same sequence they happened please. Also, posting the relevant configuration files would help :)

jjluis 09-08-2006 04:12 AM

Quote:

Originally Posted by Notwerk
Could you post more details about the FTP problem in the same sequence they happened please. Also, posting the relevant configuration files would help :)

Ok. Problem Fixed. I'm sorry. :)

It had nothing to do with Linux or iptables. I have a Zyxel router and my ISP even turning routing off blocked the FTP HTTP telnet and others by default.

Thank you very much for your help. Now all it is working fine and routing all services including web, FTP and all others.

Thanks for your help.

Just in case:

I key in my gateway IP (public gateway IP) and entered in Zyxel web (it does not work by telnet just by web) control panel. I Clicked advanced setup and then security and remove the checkboxes in block FTP traffic from LAN to WAN and so on with Web.

I hope if anyone encounters with the same problem that helps.

Thank you very much for your help :)

Notwerk 09-08-2006 04:52 AM

Glad to hear that things are working now :)

Perhaps this is a good time to review your iptable rules and tighten them up a little bit.
A good idea would be to specify the following conditions for EACH rule:
1) -i INCOMING_INTERFACE
2) -o OUTGOING_INTERFACE
also, if the traffic is from/to the local network you should add:
3) -s (or -d) 192.168.x.0
Specifying the protocols also helps:
4) -p tcp (or udp)
Finally, you might wanna consider connection state tracking. Loading the following modules allows iptables to use this feature:
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
Now, for example, you can filter "-m state --state NEW" if it does not have the SYN bit.
Also, you can allow ONLY "-m state --state RELATED,ESTABLISHED" traffic to pass the FORWARD rules.

Hope this helps :)

jjluis 09-08-2006 05:28 AM

Thanks :)

I will do that. Now I am configuring and preparing things for the FTP. The rest of services are running ok.

Thanks :)


All times are GMT -5. The time now is 11:39 AM.