Hosting server behind firewall
Hello
A have a home network set up consisting of a linux computer as firewall, then into a switch with my other home computers are connected to. Internet --> |Linux box| --> switch --> My other computers What i'm trying to do is hosting a FTP server on one of my other computers. As i have figured i should only need to enable portforwarding for the appropriate port? So i've tried this: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 8888 -j DNAT --to 192.168.0.2:21 /sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT I doesn't do it for me... My firewall scipt looks like this: #!/bin/sh FWVER=0.75 # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" # # IPTABLES=/usr/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe # # EXTIF="eth1" INTIF="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # # echo -en " loading modules: " # echo " - Verifying that all kernel modules are ok -" $DEPMOD -a # # echo -en "ip_tables, " $MODPROBE ip_tables # # echo -en "ip_conntrack, " $MODPROBE ip_conntrack # # echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp # # echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc # # echo -en "iptable_nat, " $MODPROBE iptable_nat # # echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp # # echo -e " Done loading modules.\n" # # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # # echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F # # echo " FWD: Allowing all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionallity on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e " \nrc.firewall-2.4 v$FWVER done.\n" |
try with -o eth1 in both the above rules
|
I have already tried that.
I read somewhere that the order you enter stuff to iptables matters, and maybe there is some stuff in my firewall script that needs to come after the routing? Well, thanks for reply. Anyone else knows something that can help me or somewhere i can read more about it? |
you would also require a prerouting entry for ftp data (higher ports) to flow in addition to port 21.
Consider using -m conntrack --ctstate If you are using vsftpd, consider using pasv_min_port and pasv_max_port so your ftp data filter won't have to open up all the higher ports |
Humm, didn't quite follow that. Use -m conntrack --cstate where?
Getting you correctly if you mean that the dataflow is on other ports than 21 and they too need to be routed, and that's where theese things come in to help me find those higher ports? |
-m conntrack will let you keep states - for the ports that are opened up for ftp data; Makes sure the connections that claim to be for ftp data are indeed in response to the existing connection on port 21.
The man pages for iptables has this ... conntrack This module, when combined with connection tracking, allows access to more connection tracking information than the "state" match. (this module is present only if iptables was compiled under a kernel support- ing this feature) --ctstate state Where state is a comma separated list of the connection states to match. Possible states are INVALID meaning that the packet is associated with no known connection, ESTABLISHED meaning that the packet is associated with a connection which has seen pack- ets in both directions, NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and RELATED mean- ing that the packet is starting a new connection, but is associ- ated with an existing connection, such as an FTP data transfer, or an ICMP error. SNAT A virtual state, matching if the origi- nal source address differs from the reply destination. DNAT A virtual state, matching if the original destination differs from the reply source. |
All times are GMT -5. The time now is 02:56 PM. |