DNATing ftp server with iptables
Hi all,
My apologies if that has been answered. It has been more than long half day to get my ftp server working. But no luck yet. here what my setup is, internet--->linux router--->ftpserver(FileZilla on Windows XP) and someother PCs. if you asked why dont i run ftp server on linux, I have ispconfig with http,email and other services running on linux box. the ftp server on windoes is just general purposes, not critical one. the below command was done for ftp DNAT with no luck. $IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20:21 -j DNAT --to 192.168.1.3 I can access ftp server on XP in LAN, but not from outside world. Below is my iptables . ########################iptables config######################## #!/bin/bash IPT="/sbin/iptables" LOADMOD="/sbin/modprobe" ########################################################################### # # Internet Configuration. # INET_IFACE="ppp0" INET_IP="X.X.X.X" NAMESERVER_1="203.X.X.X" NAMESERVER_2="203.X.X.1" ########################################################################### # # Local Area Network configuration. # LAN_IFACE="eth0" LAN_IP="192.168.1.1" LAN_BCAST_ADD="192.168.1.255" LAN_IPRANGE="192.168.1.0/24" ########################################################################### # # Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" ############ Begin the NAT table operations ##################### #Flash all rules in the NAT table $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X #deletes every non-builtin chain in the table #load modules for ftp $LOADMOD ip_nat_ftp #enable ip_forward echo 1 >> /proc/sys/net/ipv4/ip_forward #echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_all ########################################################################### # # 4. IPTables rules set up. # # Set default policies for the INPUT, FORWARD and OUTPUT chains. # $IPT -P INPUT ACCEPT #DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT # # Do some checks for obviously spoofed IP's # $IPT -A INPUT -i $INET_IFACE -s 192.168.0.0/16 -j DROP $IPT -A INPUT -i $INET_IFACE -s 10.0.0.0/8 -j DROP $IPT -A INPUT -i $INET_IFACE -s 172.16.0.0/12 -j DROP #blocking Yan Naung computer mac address #iptables -A FORWARD -i eth0 -m mac --mac-source 00:16:e6:d7:04:92 -j LOG --log-prefix xxxxx #iptables -A FORWARD -i eth0 -m mac --mac-source 00:16:e6:d7:04:92 -j DROP ############################################################################## # #ALLOWING PARTS # # # Rules for special networks not part of the Internet # $IPT -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADD -j ACCEPT $IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IPRANGE -j ACCEPT #allow DNS request $IPT -t nat -A POSTROUTING -o $INET_IFACE -d $NAMESERVER_1 -p UDP --dport 53 -j SNAT --to X.X.X.X $IPT -t nat -A POSTROUTING -o $INET_IFACE -d $NAMESERVER_2 -p UDP --dport 53 -j SNAT --to X.X.X.X #allow ping $IPT -A INPUT -p ICMP -j ACCEPT #allow SSH $IPT -A INPUT -p tcp --dport 22 -j ACCEPT #allow WEB server, Email server, ISPCONFIG #iptables -t nat -A PREROUTING -i $IFACE -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1 $IPT -A INPUT -p tcp --dport 80:81 -j ACCEPT $IPT -A INPUT -p tcp --dport 110 -j ACCEPT $IPT -A INPUT -p tcp --dport 25 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT #allow ASTERISK VOIP Server $IPT -A INPUT -p tcp --dport 5060:5061 -j ACCEPT $IPT -A INPUT -p udp --dport 5060:5061 -j ACCEPT $IPT -A INPUT -p udp --dport 10000:20000 -j ACCEPT $IPT -A FORWARD -o $INET_IFACE -p udp --dport 5060:5061 -j ACCEPT $IPT -A FORWARD -o $INET_IFACE -p tcp --dport 5060:5061 -j ACCEPT $IPT -A FORWARD -o $INET_IFACE -p udp --dport 10000:20000 -j ACCEPT #allow ftp server at 192.168.1.3************************************** $IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20:21 -j DNAT --to 192.168.1.3 #allow already establashed connections $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow forward any related/establashed packets from $INET_IFACE to LAN $IPT -A FORWARD -i $INET_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT #allow any outputs from LAN $IPT -A INPUT -m state --state NEW -i ! $INET_IFACE -j ACCEPT #allow forward anything from LAN to INTERNET $IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT #################avoid looping############################ $IPT -A FORWARD -i $INET_IFACE -o $INET_IFACE -j REJECT #SNAT/MASQUEADE to INTERNET $IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to X.X.X.X |
disable/flush you firewall and see the port status 21 you can use nmap from linux box and try again ...
|
Hummm,
strange, when i nmap, I dont even see port 21 there, that's what i got, when nmaped, nmap is done from another computer.any ideas?? PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 81/tcp open hosts2-ns 110/tcp open pop3 111/tcp open rpcbind 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 833/tcp open unknown 901/tcp open samba-swat 993/tcp open imaps 995/tcp open pop3s 2000/tcp open callbook 3306/tcp open mysql |
Is you ftp running ?..check/recheck and restart see the /var/log/messages after restarting it.
|
you better try to nmap your windows based server first, it is to know that the FTP service is available in that server.
$IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20:21 -j DNAT --to 192.168.1.3 normally i just only allow port 21 to be forwarded into internal server and it works for my network, try remove port 20. then try below command at your firewall ... modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp |
Hi
thanks for replies, the ftp server can be connected inside LAN, it just seems iptables is not DNATing it. I need to fiddle around a bit more, I guess. |
All times are GMT -5. The time now is 10:28 PM. |