Portforward from frontend machine to backend machine
Hi!
I have one machine with an public ip and a testserver(IP 10.10.6.4) on my network. To this testserver I need ftp connections from outside my lan on port 8121 (Zope ftp instance). Both machines runs debian etch. I don't care about what software to use, as long as it is opensource. My research leeds to Iptables, but any suggestions to others are welcome. When opening a ftp connection on local machine everything works perfekt! I tried to configure iptables but ftp hangs after succesfull connection. I used following commands (remark SERVER is an alias): Code:
# iptables -A FORWARD -i eth3 -p tcp --dport 8121 -d 10.10.6.4 -j ACCEPT Code:
# ftp SERVER 21 Does the ftp protocol use a port range er anything else than just current choosen 8121??? Does anyone have a suggstion to a solution? Best regards and thanks! Dacz |
there are two modes of ftp conections
active - client opens control connection on port 21 to server and then (after authentication and so Server opens second conection in oposite direction on random high port specified by client at connection initialization time) passive - client opens both control and data connection control connection is on port 21 and data connection on random portserver tells client the port when connection is initiated port range same as above) for FTP to work in either mode with iptables You need to load additional module that tracks ftp conections and opens additional data forwarding channels as needed Code:
# loading iptables and connection tracking |
Just use passive mode
Try using PASV (passive) rather then active ftp. At the ftp prompt type "passive on"
For more info see: http://www.slacksite.com/other/ftp.html |
Ok now I'm back to this subject and after reading in the book
"LINUX FIREWALLS Attack Detection and Response with iptables, psad, and fwsnort" everything makes much more scene now :) I have made a script and are now running ftp under passive-mode most of the time. porzech you have a good memory because what you wrote was almost correct! The script iptables.sh : Code:
#!/bin/sh -== Dacz ==- |
All times are GMT -5. The time now is 01:58 AM. |