|
Accessing LOCAL FTP Server from Internal fails
Guys,
After a week of twidling with IPTABLES i got it to do the bloody port forarding thing. So i can basically get to my internal. www, dns, smtp, and ftp servers from the external ip address. Funny thing is this, FTP is acting up. I can FTP from a remote location and connect to my internal FTP server and successfully transfer files Ok.
When I try to do this from one of my internal boxes , it concects, authenticate correctly. The moment I type ls or dir or get or any command...BOOM, the connection closes as indicated by the results I have included below: Since it fails after typing a command. I know it has to do with the data port that is being used is gets dropped by the firewall. But my script already has provision for this as indicated also below.. but.the damn thing fails each time.
230-Welcome to FTP Site.
230-Happy FTP'ing
230 User idiot logged in.
Remote system type is Windows_NT.
ftp> dir
227 Entering Passive Mode (192,168,1,50,10,242).
426 Connection closed; transfer aborted.
ftp> bye
221 Thanks for stopping by, come again! Cheers!!!
I have read a lot on passive/active mode and FTP using Ports > 1024. I just dont get why it will work ok for external connections and not allow me to transer files if I choose to come through the external interface from one of my internal mahines,
Here is a snippet of my script and also one indicating where the nating occurs.
# FTP (20, 21) - Allowing incoming access to your local FTP server
#
if [ $FTP_SERVER -gt 0 ]; then
# Incoming request
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 21 -s $MY_FTP_CLIENTS -d $EXTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 21 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_FTP_CLIENTS -j ACCEPT
# Normal Port mode FTP data channel responses
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport 20 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_FTP_CLIENTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport $UNPRIVPORTS --dport 20 -s $MY_FTP_CLIENTS -d $EXTERNAL_IP -j ACCEPT
# Passive mode FTP data channel responses
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $MY_FTP_CLIENTS -d $EXTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_FTP_CLIENTS -j ACCEPT
if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote clients may access local FTP server"
fi
fi
___________________________________________________________
START NAT
#
# TCP Services on selected ports.
#
#
# DNAT/SNAT Port Forwarding
#
if [ -f firewall.nat ]; then
while read IP_PORT; do
# extract the ips and port
NAT_EXT_PORT=$(echo "$IP_PORT" | awk '{print $1}')
NAT_INT_IP=$(echo "$IP_PORT" | awk '{print $2}')
NAT_INT_PORT=$(echo "$IP_PORT" | awk '{print $3}')
# write the rules!
# this is the prerouting dnat
iptables -A PREROUTING -t nat -p TCP -d $EXTERNAL_IP --dport $NAT_EXT_PORT -j DNAT \
--to-destination $NAT_INT_IP:$NAT_INT_PORT
# This allows packets from external->internal
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp \
-d $NAT_INT_IP --dport $NAT_INT_PORT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# This allows packets from internal->external
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p tcp \
-s $NAT_INT_IP --sport $NAT_INT_PORT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# This enables access to the 'public' server from the internal network
iptables -t nat -A POSTROUTING -d $NAT_INT_IP -s $INTERNAL_NETWORK \
-p tcp --dport $NAT_INT_PORT -j SNAT --to $INTERNAL_IP
echo firewall: dnat: $EXTERNAL_IP:$NAT_EXT_PORT - $NAT_INT_IP:$NAT_INT_PORT
done < /etc/firewall/firewall.nat
# unset some variables
unset IP_PORT
unset NAT_EXT_PORT
unset NAT_INT_IP
unset NAT_INT_PORT
fi
Any ideas will be helpful
Thanks Guys.
|
