LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-31-2004, 10:05 AM   #1
hendrixx
Member
 
Registered: Aug 2003
Location: Netherlands
Distribution: SuSE 10 Pro
Posts: 43

Rep: Reputation: 15
Question Outside FTP Port 21 redirect to different port inside LAN???


Hi all,

I have a little problem with my FTP Server (PureFTPD) and my firewall.
I have setup a FTP server on my RedHat 9 Linux box. I have setup PureFTP to use port 40 instead of the standard port 21 for security reasons.
I am using a DENY ALL firewall (iptables).
What i want to do is when someone wants to connect to my FTP server from
the internet i want to redirect the default port 21 to my internal LAN port 40.

My Redhat box is setup as a router/firewall and the FTP server is running on the
same Redhat box. I have tried the following rules in my firewall :

Code:
# ///// FTP ACCES //////
$IPTABLES -t nat -A PREROUTING -i $INSIDE -d $INET_IP -p tcp --dport 21 -j DNAT --to $PRIVIP:40
$IPTABLES -A INPUT -i $OUTSIDE -p tcp --dport 21 -m limit --limit 15/minute -j LOG --log-prefix FTPflags:
$IPTABLES -A INPUT -i $OUTSIDE -s 0/0 -d $INET_IP -p tcp --dport 21 -j ACCEPT
$OUTSIDE = my nic with ADSL connection (internet)
$INSIDE = my other NIC for the LAN
$INET_IP = my IP adress for inernet
$PRIVIP = my Redhat LAN adress (192.168.10.2)

If i try to connect to my FTP server from whitin my LAN (with CuteFTP port21 from a WinXP Proff. machine) i can connect without any problems.
But if i try to connect from my work i can not connect. It seems to connect to
my IP adress on port 21 fine but then nothing happens and i cannot get in.

Any ideas ??

Last edited by hendrixx; 05-31-2004 at 10:08 AM.
 
Old 06-01-2004, 12:52 AM   #2
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
remember to allow the FTP access OUT on port 40...

maybe thats your problem... not sure if you have set OUTPUT DROP also
 
Old 06-01-2004, 02:50 PM   #3
hendrixx
Member
 
Registered: Aug 2003
Location: Netherlands
Distribution: SuSE 10 Pro
Posts: 43

Original Poster
Rep: Reputation: 15
That's a good one !
I hope that's it ... i will try tommorow from my work.

Thanks for the suggestion !
 
Old 06-03-2004, 07:43 PM   #4
hendrixx
Member
 
Registered: Aug 2003
Location: Netherlands
Distribution: SuSE 10 Pro
Posts: 43

Original Poster
Rep: Reputation: 15
Hi Chris,

I tried to open port 40 (OUTUT) on the both the LAN side and the INTERNET side
but it still doesn't work

I added the following rules in my firewall :

Code:
$IPTABLES -A OUTPUT -o $INSIDE -p tcp --dport 40 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -p tcp --dport 40 -j ACCEPT
So my complete set of rules for FTP :

Code:
# ///// FTP TOEGANG //////
$IPTABLES -t nat -A PREROUTING -i $INSIDE -d $INET_IP -p tcp --dport 21 -j DNAT --to $PRIVIP:40
$IPTABLES -A INPUT -i $OUTSIDE -p tcp --dport 21 -m limit --limit 15/minute -j LOG --log-prefix FTPflags:
$IPTABLES -A INPUT -i $OUTSIDE -s 0/0 -d $INET_IP -p tcp --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -o $INSIDE -p tcp --dport 40 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -p tcp --dport 40 -j ACCEPT
Do you have any other suggestions ?
I am a little stuck here ...

Cheers!
 
Old 06-03-2004, 08:56 PM   #5
jspenguin
Member
 
Registered: Feb 2003
Location: Wichita, KS
Distribution: Heavily modified Redhat
Posts: 194

Rep: Reputation: 30
The FTP protocol is very hairy in that it requires 2 connections: the control connection and the data connection. The control connection always connects on port 21 (or whatever you set your server to listen on), while the data connection is dynamically negotiated using the control connection. The client sends the PASV command, and the server responds with something like this:

227 Entering PASV mode (10,0,0,1,4,1)

This tells the client to connect to address 10.0.0.1 on port 1025 (4 * 2^8 + 1), and your router doesn't know to forward this port.

One alternative that might work is to assign a range of ports to be forwarded to your machine, and tell your FTP server to listen on these ports when a PASV command is issued. Read the man page on your FTP server to see if you can do this.
 
Old 06-05-2004, 06:42 PM   #6
hendrixx
Member
 
Registered: Aug 2003
Location: Netherlands
Distribution: SuSE 10 Pro
Posts: 43

Original Poster
Rep: Reputation: 15
Hi,

Thanks for the explanation, now i do understand a little more about the FTP protocol (i hope )
I have set the control connection back to port 21 (standard) on the FTP server and that works fine.
I asked a fried of mine to connect to my ftp server and that worked fine.
He could download and upload files without any problems.
However i would very much like to change my control connection to a different port.
Somehow then the FTP server stops working correctly.

I haven't tried to tell my FTP server to listen on a range of ports because i could not find
out so far. I will try to take a closer look at this.

I changed my firewall rules for the FTP protocol like this :

Code:
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

# ///// FTP TOEGANG //////
$IPTABLES -t nat -A PREROUTING -i $INSIDE -d $INET_IP -p tcp --dport 21 -j DNAT --to $PRIVIP
$IPTABLES -A INPUT -i $OUTSIDE -p tcp --dport 21 -m limit --limit 15/minute -j LOG --log-prefix FTPflags:
$IPTABLES -A INPUT -i $OUTSIDE -s 0/0 -d $INET_IP -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s $INET_IP -d $PRIVIP -p tcp --dport 21 -j ACCEPT
$OUTSIDE = my nic with ADSL connection (internet)
$INSIDE = my other NIC for the LAN
$INET_IP = my IP adress for inernet
$PRIVIP = my Redhat LAN adress (192.168.10.2)

I don't understand why it works if i keep the control connection to port 21
and as soon as i change this to another port and change my firewall rules also
it doesn't work anymore.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
using bind to redirect to port setiDude Linux - Networking 8 11-17-2004 01:35 AM
Redirect to another port dlucas10 Linux - Networking 4 02-06-2004 01:03 PM
Redirect port with iptables |DeJoTa| Linux - Networking 0 07-11-2003 01:31 AM
Port forward ftp to windoz server (lan) dulaus Linux - Networking 6 06-11-2003 03:08 PM
Forward port port 80 to lan web server dulaus Linux - Networking 9 10-04-2002 03:45 AM


All times are GMT -5. The time now is 05:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration