LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 10-16-2008, 09:23 AM   #1
dacz
LQ Newbie
 
Registered: Nov 2006
Posts: 2
Blog Entries: 3

Rep: Reputation: 0
Portforward from frontend machine to backend machine


Hi!

I have one machine with an public ip and a testserver(IP 10.10.6.4) on my network. To this testserver I need ftp connections from outside my lan on port 8121 (Zope ftp instance). Both machines runs debian etch.
I don't care about what software to use, as long as it is opensource. My research leeds to Iptables, but any suggestions to others are welcome.
When opening a ftp connection on local machine everything works perfekt!
I tried to configure iptables but ftp hangs after succesfull connection. I used following commands (remark SERVER is an alias):
Code:
# iptables -A FORWARD -i eth3 -p tcp --dport 8121 -d 10.10.6.4 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
# iptables -t nat -A PREROUTING -p tcp -d SERVER --dport 21 -j DNAT --to 10.10.6.4:8121
My ftp connection:
Code:
# ftp SERVER 21
Connected to yellow.headnet.dk.
220 0.0.0.0 FTP server (Medusa Async V41297 [experimental]) ready.
Name (yellow.headnet.dk:dacz): USER
331 Password required.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list
And then it hangs.
Does the ftp protocol use a port range er anything else than just current choosen 8121???

Does anyone have a suggstion to a solution?

Best regards and thanks!

Dacz
 
Old 10-16-2008, 12:51 PM   #2
porzech
Member
 
Registered: Jan 2007
Distribution: Suse, Ubuntu
Posts: 31

Rep: Reputation: 15
there are two modes of ftp conections
active - client opens control connection on port 21 to server and then (after authentication and so Server opens second conection in oposite direction on random high port specified by client at connection initialization time)
passive - client opens both control and data connection control connection is on port 21 and data connection on random portserver tells client the port when connection is initiated port range same as above)

for FTP to work in either mode with iptables You need to load additional module that tracks ftp conections and opens additional data forwarding channels as needed


Code:
# loading iptables and connection tracking 
 modprobe ip_tables
# Connection-Tracking-Module
 modprobe ip_conntrack
 modprobe ip_conntrack_ftp
 modprobe ip_nat_ftp
# -------------
 iptables -t nat -A PREROUTING -i Internet_interface -p tcp --dport 21 -j DNAT --to-destination ip_of_lan_ftp_server:8121
 iptables -A FORWARD -i Internet_interface -m state --state NEW -p tcp -d ip_of_lan_ftp_server --dport 8121 -j ACCEPT
# -------------
# connection tracking rules so server responses can get to ftp client 
 iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i ! Internet_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
this is very simple setup (writing from memory but it should work)
 
Old 10-16-2008, 12:55 PM   #3
h8ck3rs
LQ Newbie
 
Registered: May 2008
Posts: 3

Rep: Reputation: 0
Just use passive mode

Try using PASV (passive) rather then active ftp. At the ftp prompt type "passive on"

For more info see:

http://www.slacksite.com/other/ftp.html
 
Old 11-05-2008, 06:15 AM   #4
dacz
LQ Newbie
 
Registered: Nov 2006
Posts: 2
Blog Entries: 3

Original Poster
Rep: Reputation: 0
Ok now I'm back to this subject and after reading in the book
"LINUX FIREWALLS Attack Detection and Response with iptables, psad, and fwsnort" everything makes much more scene now

I have made a script and are now running ftp under passive-mode most of the time.
porzech you have a good memory because what you wrote was almost correct!

The script iptables.sh :
Code:
#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
#INT_NET=10.10.6.0/24
### flush existing rules
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
### load connection-tracking modules
$MODPROBE iptable_nat
$MODPROBE ip_conntrack
### NOTE: If not working try with ports defined to ip_conntrack_ftp 21,8121
$MODPROBE ip_conntrack_ftp 
$MODPROBE ip_nat_ftp

######################## INPUT chain ########################
echo "[+] Setting up INPUT chain..."
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
######################## OUTPUT chain ######################
echo "[+] Setting up OUTPUT chain..."
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
######################## FORWARD chain #######################
echo "[+] Setting up FORWARD chain..."
$IPTABLES -A FORWARD -i ! eth3 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

######################## NAT rules ########################
echo "[+] Setting up NAT rules..."
$IPTABLES -t nat -A PREROUTING -i eth3 -p tcp --dport 8121 -j DNAT --to-destination 10.10.6.4:8121
$IPTABLES -t nat -A POSTROUTING -o eth3 -j MASQUERADE 
###### forwarding ######
echo "[+] Enabling IP forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward
Thanks for the help by the way!

-== Dacz ==-
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restarting Windows machine stops Linux machine mounting/connecting jamespetts Linux - Networking 3 05-29-2008 03:12 AM
Turn KnoppMyth backend/frontend into backend only nebbus Linux - General 0 09-09-2007 01:57 AM
Remote mythtv frontend can't connect to backend raytheyounger Linux - Software 2 05-27-2006 09:09 PM
how to shutdown,restart and log off windows machine remotely through a linux machine deepak rawat Fedora 1 05-23-2006 01:25 AM
Backend -Frontend Interaction unbeknown Linux - Software 1 07-29-2003 03:33 PM


All times are GMT -5. The time now is 01:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration