LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Hosting server behind firewall (https://www.linuxquestions.org/questions/linux-networking-3/hosting-server-behind-firewall-203245/)

Krao 07-09-2004 10:50 PM
Hosting server behind firewall
 
Hello

A have a home network set up consisting of a linux computer as firewall, then into a switch with my other home computers are connected to.

Internet --> |Linux box| --> switch --> My other computers

What i'm trying to do is hosting a FTP server on one of my other computers. As i have figured i should only need to enable portforwarding for the appropriate port?

So i've tried this:
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 8888 -j DNAT --to 192.168.0.2:21

/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT

I doesn't do it for me...

My firewall scipt looks like this:

#!/bin/sh
FWVER=0.75
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
#
#
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#
#
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#
#
echo -en " loading modules: "
#
echo " - Verifying that all kernel modules are ok -"
$DEPMOD -a
#
#
echo -en "ip_tables, "
$MODPROBE ip_tables
#
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
#
#
echo -e " Done loading modules.\n"
#
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
#
#
echo " FWD: Allowing all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionallity on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e " \nrc.firewall-2.4 v$FWVER done.\n"

mardanian 07-10-2004 04:02 AM
try with -o eth1 in both the above rules

Krao 07-10-2004 07:45 AM
I have already tried that.
I read somewhere that the order you enter stuff to iptables matters, and maybe there is some stuff in my firewall script that needs to come after the routing?
Well, thanks for reply. Anyone else knows something that can help me or somewhere i can read more about it?

ppuru 07-10-2004 10:37 AM
you would also require a prerouting entry for ftp data (higher ports) to flow in addition to port 21.

Consider using -m conntrack --ctstate

If you are using vsftpd, consider using

pasv_min_port and pasv_max_port so your ftp data filter won't have to open up all the higher ports

Krao 07-11-2004 02:31 AM
Humm, didn't quite follow that. Use -m conntrack --cstate where?
Getting you correctly if you mean that the dataflow is on other ports than 21 and they too need to be routed, and that's where theese things come in to help me find those higher ports?

ppuru 07-11-2004 02:40 AM
-m conntrack will let you keep states - for the ports that are opened up for ftp data; Makes sure the connections that claim to be for ftp data are indeed in response to the existing connection on port 21.

The man pages for iptables has this ...

conntrack
This module, when combined with connection tracking, allows access to
more connection tracking information than the "state" match. (this
module is present only if iptables was compiled under a kernel support-
ing this feature)

--ctstate state
Where state is a comma separated list of the connection states
to match. Possible states are INVALID meaning that the packet
is associated with no known connection, ESTABLISHED meaning that
the packet is associated with a connection which has seen pack-
ets in both directions, NEW meaning that the packet has started
a new connection, or otherwise associated with a connection
which has not seen packets in both directions, and RELATED mean-
ing that the packet is starting a new connection, but is associ-
ated with an existing connection, such as an FTP data transfer,
or an ICMP error. SNAT A virtual state, matching if the origi-
nal source address differs from the reply destination. DNAT A
virtual state, matching if the original destination differs from
the reply source.


All times are GMT -5. The time now is 02:56 PM.