Shorewall and Internal FTP Server Problem

jonwatson · 12-16-2006, 01:44 PM

Hello All,

I'm not too keen on posting an application question here, but I've attempted to get help via the Shorewall mailing list to no avail. Also, since Shorewall is really just a GUI for iptables, I feel kind of justified

I know that this should be a trivial issue, but I'm stuck. I'm totally new to Shorewall and although I've read all about the zones, they're still a bit confusing for me.

What I'm attempting to do is run an FTP server on an internal machine. I've read the example guide and troubleshooting guide, but I can't figure it out.

My setup:

'net' zone is on an extrenal NIC with a routable IP. I can connect to other services on the box from the inside and outside so network connectivity is good.

My FTP server is running on 10.0.50.10 inside.

LAN clients can connect to the FTP server therefore the FTP server itself is set up correctly.

When I run 'shorewall clear', I can connect to the FTP server from the outside so it seems to be a Shorewall configuration issue for sure.

My Rules:

I feel pretty confident that I fall into example #3 of the Shorewall FTP guide:

Quote:

Example 3. Server running behind a Masquerading Gateway
Suppose that you run an FTP server on 192.168.1.5 in your local zone using the standard port (21). You need this rule:
#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
FTP/DNAT net loc:192.168.1.5

However, after changing the IP to 10.0.50.10, no go.

A typical log entry when trying to connect looks like this:

Quote:

Dec 15 10:36:29 munged kernel: Shorewall:net2all: DROP:IN=eth0 OUT= MAC=00:11:95:c5:29:43:00:90:1a:40:df:45:08:00 SRC=209.5.161.208 DST=10.0.50.10 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=52574 DF PROTO=TCP SPT=34883 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0

From this I can see that it is the net2all policy that's dropping the packet. That seems to indicate that my FTP/DNAT rule isn't firing when incoming TCP packets hit the external NIC on port 21. I'm pretty sure this will boil down to me not understanding the zones as well as I should, but I'm kind of confused why a very straightforward cut and paste example from the Shorewall guide doesn't work.

Links, tips, everything appreciated.

Thanks!

Jon

tellef · 12-22-2006, 01:55 PM

From your log s it appears that you have done it right when it comes to forwarding packets to the proper internal address.
However, this is not enough. You must also allow traffic from the same net to sour ftp box like this on the line following your fwd-rule:

FTP/DNAT net loc:192.168.1.5
FTP/ACCEPT net loc:192.168.1.5

Change IP`s as appropriate of course.

jonwatson · 12-22-2006, 03:33 PM

You're right. I should have come back and updated this post. I did indeed need the FTP/ACCEPT rule. I was wrong in thinking that I fell into example #3 as I do not need the DNAT rule.

Thanks!