LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-22-2002, 07:24 PM   #1
FunkFlex
Member
 
Registered: Jan 2002
Location: UK
Distribution: Redhat 7.2
Posts: 35

Rep: Reputation: 15
Question ftp and ftp port forwarding with IPtables??


I already have an ftpd running on port 20/21/Unpriv on a linuxbox1 connected directly to the internet..

However I want to port forward 1574 to another ftpd which is serving ftp on port 1574 within an internal LAN on box2.

If the default ftp ports are 20/21 what ports do i forward instead of 20/21.. I know i have to forward 1574 but what other port do i need to forward to make up for port 20?? and the unpriv ports??

this is my attempt so far..
#$IPT -t nat -A PREROUTING -p tcp --sport $UNPRIVPORTS --dport 1574 -i $IEXT -j DNAT --to 10.0.0.2
#$IPT -A FORWARD -p tcp -i $IEXT --sport $UNPRIVPORTS -o $IINT -d 10.0.0.2 --dport 1574 -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp --sport $UNPRIVPORTS --dport 1573 -i $IEXT -j DNAT --to 10.0.0.2
#$IPT -A FORWARD -p tcp -i $IEXT --sport $UNPRIVPORTS -o $IINT -d 10.0.0.2 --dport 1573 -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp --sport $UNPRIVPORTS --dport $UNPRIVPORTS -i $IEXT -j DNAT --to 10.0.0.2
#$IPT -A FORWARD -p tcp -i $IEXT --sport $UNPRIVPORTS -o $IINT -d 10.0.0.2 --dport $UNPRIVPORTS -j ACCEPT

problem with this is..
won't this cut out the INPUT for unprivports, hence rendering the ftpd on linuxbox1 inaccessable?

Please help.
 
Old 04-23-2002, 01:37 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
IIRC the ftp data port always is one below the control connection, like you ve shown in your example. This example (as far as I can see) won't cut out $UNPRIVPORTS as it's first-match-wins in netfilter/iptables, and this one only matches $UNPRIVPORTS ACCEPT's for this address.

/* Kinda IIRC, cuz Raz left so we can't ask him, I still need to convert to netfilter/iptables... */
 
Old 04-23-2002, 08:41 PM   #3
FunkFlex
Member
 
Registered: Jan 2002
Location: UK
Distribution: Redhat 7.2
Posts: 35

Original Poster
Rep: Reputation: 15
so if i used 800 as control connection then the data transfer port will be 799.

as for unpriv ports, even if i FORWARD unpriv ports, it won't interfere with the INPUT unpriv ports because it is specifically filtering packets that has its destination to 10.0.0.2..

am i correct?

I think i'm beginning to understand..
 
Old 04-24-2002, 04:03 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally posted by FunkFlex
so if i used 800 as control connection then the data transfer port will be 799.
AFAIK, yes.

as for unpriv ports, even if i FORWARD unpriv ports, it won't interfere with the INPUT unpriv ports because it is specifically filtering packets that has its destination to 10.0.0.2[/QUOTE]
Guesso, to me it kinda reads like: "lemme FORWARD from TCP WHERE source is UNPRIVPORTS AND destination is 10.0.0.2 1574" :-]
If unsure I always tack on logging rules for *everything* dropped and accepted, so you'll see soon enough what fails where.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables accept ftp port only to specific subnet GUIPenguin Linux - Security 2 09-29-2005 11:24 AM
iptables / FTP masquerading: Port command illegal radiowhiz Linux - Networking 1 03-23-2005 06:15 PM
FTP port forwarding tomammon Linux - Networking 1 10-15-2004 07:49 AM
port forwarding using iptables (ftp) spank Linux - Newbie 3 01-20-2004 07:14 AM
Problem With FTP and Maybe Port forwarding ComFox Linux - Networking 1 09-19-2002 11:16 PM


All times are GMT -5. The time now is 06:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration