LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-08-2006, 03:25 AM   #1
nesargha
Member
 
Registered: May 2006
Distribution: rhel 4, red hat 9, fedora core 2
Posts: 51

Rep: Reputation: 15
Smile iptables and ftp problem


hi guys,
i have writen a script for firewall(to make squid as transperent proxy) based on serching the web,the script is as follows :

-------------
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
# if it is same system
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

-------------------------------------

now squid is working as transparent proxy and localy on the network people are able to browse internet and do ftp for the local site(on the server) and other ftps on the internet.

but there are two problems
1) people outside our network ( we have branch office in another city) are not able to ftp into our server

our server has two ethernet card one connected to lan and other to the internet
ie. eth0 192.168.0.1 lan
eth1 static ip (given by the isp) internet

2) the second problem is that whole lot of text like
IN=eth0 OUT= MAC=00... SRC=196.68.45.123 DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).

can anyone please help me out in solving this problem.

Last edited by nesargha; 06-08-2006 at 05:08 AM.
 
Old 06-08-2006, 04:29 AM   #2
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Ehem...

plz make sure of the information you provided regarding which interface is connect to what network:

Quote:
# unlimited access to LAN
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
Quote:
ie. eth0 192.168.0.1 lan
eth1 static ip (given by the isp) internet
Since you say that everything is running fine on the internal network, i'll take the risk of assuming that you got the interfaces mixed up and eth0 is actually connected to the internet while eth1 is connected to your LAN.

Based on this assumption here's how to go about it:
You just need to add the proper rule to allow users OUTSIDE your network to connect to the ftp service.

If the service is running on the same machine which is acting as a firewall then something like:
Code:
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT
If the service is on a different machine you'll need something closer to:
Code:
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination [ip-of-ftp-server]:21
#iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT
This will open port 21 (ftp service) to all users from the internet. So if you need a secure ftp service try and look into vsftpd [$man vsftpd] which can be configured for username/password or key-based authentication.

Last edited by Notwerk; 06-08-2006 at 04:41 AM.
 
Old 06-09-2006, 08:43 AM   #3
nesargha
Member
 
Registered: May 2006
Distribution: rhel 4, red hat 9, fedora core 2
Posts: 51

Original Poster
Rep: Reputation: 15
thank you Notwerk,
your solution worked for me, people are able to ftp into our server, but the second problem still exist and its too much annoying to work in text mode.
---------------------
second problem is that whole lot of text like
IN=eth0 OUT= MAC=00... SRC=196.68.45.123 DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).
----------------------
can you tell what might be the problem and where i have gone worng.

once again thank you for ur advice, it helped me lot
 
Old 09-07-2006, 06:16 AM   #4
jjluis
LQ Newbie
 
Registered: Sep 2006
Posts: 5

Rep: Reputation: 0
Quote:
Originally Posted by Notwerk
Code:
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT
If the service is on a different machine you'll need something closer to:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination [ip-of-ftp-server]:21
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT
This will open port 21 (ftp service) to all users from the internet. So if you need a secure ftp service try and look into vsftpd [$man vsftpd] which can be configured for username/password or key-based authentication.
I have the same problem but The above code ddin't work for me in fedora core 5
Here is my script:
Code:
iptables --flush
iptables --table nat --flush
iptables --append FORWARD --in-interface eth0 -j  ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination [$FTP_ADDRESS]:21
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT
any ideas?

Last edited by jjluis; 09-07-2006 at 06:32 AM.
 
Old 09-07-2006, 09:13 AM   #5
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
jjluis

Could you provide more details. Is that the complete script you're using or just a piece of it?

Also, is the [$FTP_ADDRESS] inside your network (reachable through eth0) or is it outside (reachable through eth1)?
 
Old 09-07-2006, 10:51 AM   #6
jjluis
LQ Newbie
 
Registered: Sep 2006
Posts: 5

Rep: Reputation: 0
RE: More details

Hi, this was my complete script. [$FTP_ADDRESS]is reachable from eth0 (Ip 192.168.x.x).

This is how actually I have got it:

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --append FORWARD --in-interface eth0 -j  ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --table nat --append PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to [$FTP_ADDRESS]:21
iptables --table nat --append POSTROUTING -o eth0 -p tcp --dport 21 -j SNAT --to [$DNS_INTRANET_IP]
and what I want to do is since I have the DNS with bind there (the global DNS) and ftp.server.com points to the DNS server I want it to redirect ftp.server.com to [$FTP_ADDRESS].

I have routed successfully in red hat 9 but here it does not seems to work. (I have a DSL modem, so the router is the Linux Box.

Any ideas?

Thanks for your help
 
Old 09-07-2006, 04:49 PM   #7
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
It looks fine to me. The only thing missing is allowing FORWARDing in the other direction

something like this should help:
Code:
#iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
 
Old 09-07-2006, 06:22 PM   #8
jjluis
LQ Newbie
 
Registered: Sep 2006
Posts: 5

Rep: Reputation: 0
Quote:
Originally Posted by Notwerk
It looks fine to me. The only thing missing is allowing FORWARDing in the other direction

something like this should help:
Code:
#iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
Good.

Now I can route any port I use. But ... I have a problem with the FTP ... I did not mention before because I was not able to route anything so I supposed it was some kind of iptables related problem... I have fedora core 5 running at level 5. an uname -r command returns 2.6.17-1.2174_FC5.

Just before moving the FTP to another machine I ran it in the Linux box itself (I used vsftpd) and I could not access it from outside the network... nor can I now... even doing a /etc/init.d/iptables stop ... Nmap returns the port 21 TCP as FILTERED from outside the network. Does anyone know if some sneaky feature like the so called "Secure Linux" prevents the access to a FTP from extern source by default? I mean I know I can route because I open services in other machines and I can connect to their sockets throw Linux while their services are started. Has anyone heard something like this?

Thanks for your help

PS: I'm sorry being so extended.
 
Old 09-08-2006, 03:44 AM   #9
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Could you post more details about the FTP problem in the same sequence they happened please. Also, posting the relevant configuration files would help
 
Old 09-08-2006, 04:12 AM   #10
jjluis
LQ Newbie
 
Registered: Sep 2006
Posts: 5

Rep: Reputation: 0
Quote:
Originally Posted by Notwerk
Could you post more details about the FTP problem in the same sequence they happened please. Also, posting the relevant configuration files would help
Ok. Problem Fixed. I'm sorry.

It had nothing to do with Linux or iptables. I have a Zyxel router and my ISP even turning routing off blocked the FTP HTTP telnet and others by default.

Thank you very much for your help. Now all it is working fine and routing all services including web, FTP and all others.

Thanks for your help.

Just in case:

I key in my gateway IP (public gateway IP) and entered in Zyxel web (it does not work by telnet just by web) control panel. I Clicked advanced setup and then security and remove the checkboxes in block FTP traffic from LAN to WAN and so on with Web.

I hope if anyone encounters with the same problem that helps.

Thank you very much for your help
 
Old 09-08-2006, 04:52 AM   #11
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Glad to hear that things are working now

Perhaps this is a good time to review your iptable rules and tighten them up a little bit.
A good idea would be to specify the following conditions for EACH rule:
1) -i INCOMING_INTERFACE
2) -o OUTGOING_INTERFACE
also, if the traffic is from/to the local network you should add:
3) -s (or -d) 192.168.x.0
Specifying the protocols also helps:
4) -p tcp (or udp)
Finally, you might wanna consider connection state tracking. Loading the following modules allows iptables to use this feature:
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
Now, for example, you can filter "-m state --state NEW" if it does not have the SYN bit.
Also, you can allow ONLY "-m state --state RELATED,ESTABLISHED" traffic to pass the FORWARD rules.

Hope this helps
 
Old 09-08-2006, 05:28 AM   #12
jjluis
LQ Newbie
 
Registered: Sep 2006
Posts: 5

Rep: Reputation: 0
Thanks

I will do that. Now I am configuring and preparing things for the FTP. The rest of services are running ok.

Thanks
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
squid iptables ftp ----- > problem Ammad Linux - Networking 1 12-25-2005 04:03 PM
ftp behind iptables fw PhatZero Linux - Software 1 02-19-2004 04:27 AM
IPTables and FTP - ftp on LAN adamgedde Linux - Newbie 6 10-16-2003 08:11 PM
ftp and ftp port forwarding with IPtables?? FunkFlex Linux - Security 3 04-24-2002 03:03 AM
FTP Through IPTables JHuizingh Linux - Networking 5 03-08-2002 11:37 PM


All times are GMT -5. The time now is 04:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration