Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Im having some difficulties with configuring my main-servers (192.168.2.121) iptables. I want him to forward port 21 (FTP) to another machine in the network (192.168.2.130). But every attempt fails. This is my current iptables-config.
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:1244]
:fail2ban-SSH - [0:0]
-A INPUT -p udp -m udp --dport 1723 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -s 192.0.0.0/8 -i ppp0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8112 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1812 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1812 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1900 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1900 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8200 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 25 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 548 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 143 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 443 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 587 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 465 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 993 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 995 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 3306 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 25565 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 30212 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25565 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 30212 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 62000:63000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i bond0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i bond0 -j ACCEPT
-A FORWARD -d 192.168.2.130/32 -p tcp -m tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 5353 -j ACCEPT
-A OUTPUT -o bond0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A fail2ban-SSH -s 222.161.209.92/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 94.21.192.222/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -j RETURN
COMMIT
*nat
:PREROUTING ACCEPT [3:5643]
:POSTROUTING ACCEPT [3:575]
:OUTPUT ACCEPT [4:897]
-A PREROUTING -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.2.130:21
-A PREROUTING -d 192.168.2.121/32 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.2.130:21
-A POSTROUTING -o bond0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -d 192.168.2.130/32 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.2.130
COMMIT
It works when I telnet 192.168.2.130 on port 21, but it doesn't when I telnet 192.168.2.121 on port 21 (Connection refused).
Somehow unrelated: I'd suggest you group your iptables rules relative to the protocols to make it more readable. For instance, mail related (25, 110, 143, 993, etc.):
Code:
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp -m multiport --dports 25,80,110,143
(or just use -m state instead of conntrack and then -m multiport)
I think the second line is unnecessary, isn't it? If all packets, regardless of the IP destination, with port 21 are going to be forwarded to .130:21, then what's the use for the second rule? It only says that packages with host destination 192.168.2.121:21 will be fowarded to .130:21, but this is already included in the first rule, isn't it?
I don't think it makes too much sense (someone more knowledgeable correct me if I'm wrong). You're saying that packets that have a destination of .130:21 should have their source IP changed to the same ip as the destination.
To simply forward ftp data just use DNAT (PREROUTING).
I think the main problem is that traffic that goes into your server is not forwarded because of this rule:
Quote:
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
You should move it at the end of the FORWARD chain, otherwise all traffic that you want to forward is being dropped, before other rules in the FORWARD chain can be read.
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp -m multiport --dports 25,110,etc. -j ACCEPT
OR:
Code:
-A INPUT -p tcp -m multiport --dports 25,110,etc. -m state --state NEW -j ACCEPT
You could go for the second one, to be consistent with the other rules. The thing is -m state is becoming deprecated (it's already obsolete on kernel 3.6), but I don't think you should be worried about that.
One more thing, neither POP, nor IMAP, nor SMTP uses UDP. SO I'd delete the UDP rules that accept mail traffic. At least try it that way and see if your email works (there shouldn't be absolutely any problems) and then save it if it's fine. Otherwise, letting UDP ports open unnecessarily is a security vulnerability.
You should also change that POSTROUTING rule that I was talking to you about. Did you do anything about it? What are you actually trying to achieve with this rule? -A POSTROUTING -d 192.168.2.130/32 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.2.130
As I've already said, it doesn't seem too make much sense to me, because you're sending a packet with the same source and destination IP.
So delete it and show me your NAT (POST and PREROUTING) rules and let's see I'm able to offer you any more useful advice.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.