LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 04-21-2008, 05:05 PM   #1
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 35

Rep: Reputation: 15
iptables: local proFTPd server and remote FTP servers access


Hello,

I'm setting up a public services subnetwork and I need some help with iptables. This is what I manage:

Firewall (Debian 4.0r3) with 3 NIC's:

eth0 NET, interface "INET", subnet 192.168.3.0/24, connected to a DSL router pointed by a public static IP address.
eth1 DMZ, interface "IDMZ", subnet 192.168.2.0/24, only one machine
eth2 LOC, interface "ILOC", subnet 192.168.1.0/24 (XLOC)

The default policy for INPUT, OUTPUT, FORWARD chains (and PRE/POST-ROUTING) is DROP.

The firewall masquerades all that comes from LOC and DMZ subnets going to the Internet. The module ip_conntrack_ftp is loaded. Every outbound connection from LOC works good, but FTP doesn't.

I'm having problems with a FTP server (proFTPd) serving in the DMZ.

(1) I want it to be a public server, but I'm not able to access it from the Internet, ruleset

Code:
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to-destination $DMZ:21

iptables -A FORWARD -i $IDMZ -o $INET -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INET -o $IDMZ -p tcp --sport 20:21 -j ACCEPT
the server seems to respond remotely, but cannot login succesfully. I've configured proftpd.conf like this example (HOWTO : Create a FTP server with user access (proftpd) - Ubuntu Forums) but without aliases, syslog.log says that I must check the ServerType directive (standalone) and that cannot bind to 0.0.0.0:21 (addr already in use)

(2) I want it to be accessible from the local network, ruleset

Code:
iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 21 -j DNAT --to-destination $DMZ:21

iptables -A FORWARD -s $XLOC -d $DMZ -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $DMZ -d $XLOC -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
but the firewall stops the connection

(3) Apart from my server, I want to access remote FTP servers from the LAN, ruleset

Code:
iptables -A FORWARD -i $ILOC -o $INET -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 20:21 -j ACCEPT

iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
but I can only do it in passive mode, how to enable active mode?

thanks for the help...
 
Old 04-26-2008, 06:07 PM   #2
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 35

Original Poster
Rep: Reputation: 15
The access to the DMZ ports http & ftp from the LAN works now good, now I must forward the ports from the external router (192.168.3.1), configuring, as it states, the "virtual servers".

The firewall (NET: 192.168.3.2, LOC: 192.168.1.1, DMZ: 192.168.2.1) is configured to forward the packets that enter the NET iface:

Code:
iptables -t -nat -A PREROUTING -i $INET -p tcp --dport 80 -j DNAT --to-destination $DMZ:80
(followed by the rule forwarding the ftp service)

I've tried almost every combination. Either launching the ports 80 and 21 to the DMZ (192.168.2.2) or launcing them to the NET iface of the firewall does not work from the internet. Remotely, it seems as if there where no servers (reaching timeouts). I have a static IP.

I think the problem is in the external DSL router redirection, the monitoring software running in the firewall show no incoming packets when I try to open a remote connection. It is a Comtrend CT-5071.

The CT-5071 also allows defining the DMZ host for redirecting the packets that do not belong to any of the protocols stated in the virtual servers list, but this option makes no difference.

What am I missing?
 
Old 05-04-2008, 02:46 PM   #3
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 35

Original Poster
Rep: Reputation: 15
New discussion:

http://www.linuxquestions.org/questi...4/#post3142503
 
  


Reply

Tags
debian, dmz, firewall, ftp, iptables, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I Access remote FTP servers on Private IPs dablew Linux - Networking 3 12-03-2007 01:14 AM
FTP scripts check remote servers file manish_meet_in Linux - General 1 02-28-2007 02:07 PM
connection reset after 4096 bytes when using FTP to access remote server socrates71 Linux - Networking 2 10-20-2005 08:37 AM
Anonymous access ftp using Proftpd mkabia Linux - Networking 2 12-11-2004 04:18 AM
Allowing access to FTP server on LAN using IPTABLES - Help please sergio3986 Linux - Security 2 12-18-2003 12:22 PM


All times are GMT -5. The time now is 11:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration