problem: only one way (ssh/ftp) allow between two firewall server
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
problem: only one way (ssh/ftp) allow between two firewall server
machine A --> firewall1 (fw1, SuSE 10.2, upgrade from 9.1) --> fw2 --> machine B (SuSE 9.1)
problem 1.
problem is when I ftp from A to B, I can login fine, but no further action, when I do put, it will stuck. And it only create a file on machine B, and size is zero.
ftp> put zone.txt
500 Invalid PORT Command.
150 Opening BINARY mode data connection for zone.txt
problem 2.
I can ssh from A to B with no problem, but B can't ssh to A, it says
can't not connect to B port 22, no route to host.
what could be wrong. The only thing change is OS from 9.1 to 10.2, all configuration file is the same.
My guess is you are using active FTP, which generally poses a problem when the client machine has a firewall because of the way active FTP works. Unfortunately, I am not real knowledgable about FTP and you didn't tell me what you were using for a client. But you might see if you can run it in passive mode, which is more friendly for firewalls on the client side (but not for firewalls on the server side, IIRC). Since you apparently have ssh capability, you might also consider using the program sftp instead of trying to do FTP. sftp has FTP like capabilities and similar commands, but it puts the connection through an SSH tunnel, and it shouldn't have the firewall issues that FTP does. (You must still be able get a SSH connection through the firewall(s), but it sounds like you already have that taken care of.)
Problem 2:
Quote:
can't not connect to B port 22, no route to host.
My first reaction to this was you had a problem with your routing table. But if that were true I don't think you could have successfully ssh'd A -> B. You didn't tell me whether you were doing this with a host name or an IP address, but I am wondering if you really got the right IP address for A when you tried to ssh to A.
modprobe ip_conntrack_ftp and modeprobe ip_nat_ftp,
Yeah, I forgot about those modules. FWIW, I checked the man page for ftp, and it says that passive mode is now its default. You used to select passive mode on it with -p. I don't know if that is the program you are using or not.
Quote:
Is there any idea for my problem 2? I think it is a routing issue, but everything seems to be fine.
My comment about hostname vs IP address was for problem 2. I also just looked at your diagram again. Is fw2 on machine B or is it another computer/device between A and B? If A and B are directly connected or connected via a simple hub/switch, and you are sure you are using the correct IP address for A, would you post what that address is and what the routing table on machine B is?
The only change to this structure is I upgrade fw1 from SuSE linux 9.1 to SuSE 10.2, but using the same configuration file, unless there are some different firewall rule explaination in 10.2
Assuming 143.168.3.1 is the NIC in FW2 that is connected to B, it looks like B should route everything to FW2 OK. So I think the "unable to route" must be coming from something other than B. The only thing I can suggest is to use a packet sniffer such as tcpdump or wireshark on the various boxes to find out what is happening. I would start with B to see what is actually leaving and coming back into that box.
I am not familiar with SuSE, so I am not sure how the lines in that file actually translate to firewall rules. If there are not to many, perhaps you would like to post the actual firewall rules, i.e. post the output of the following two commands for FW1.
Code:
iptables -t nat -nvL
iptables -nvL
I am also wondering about the NICs on FW1 and FW2. Each box has two NICs? Are they on different subnets? I.e. what is each address and netmask?
192.192.1.16 is machine A (sorry, I pasted wrong ip info before)
If I remove all above entries, I am okay!!!
If I only leave for port 22, if I ssh to different severs from machine B(143.168.3.11), it will go to 192.192.1.16
I don't know why any of those rules should exist in the first place! (Do you have any idea how they got there?) But I also don't know how they would prevent B from sshing to A since the DNAT in the first rule sends all ssh packets to A anyway. And with the first rule in place, I don't see how the second and third rules can have any relevance (first match wins).
So it would seem that I am thoroughly confused ... Unless you have a good reason not to, and if it makes everything work, by all means, remove all 3 rules!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
FWIW, I checked the man page for ftp, and it says that passive mode is now its default. You used to select passive mode on it with -p. I don't know if that is the program you are using or not.
