LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-09-2004, 11:50 PM   #1
Krao
LQ Newbie
 
Registered: Jun 2004
Posts: 8

Rep: Reputation: 0
Hosting server behind firewall


Hello

A have a home network set up consisting of a linux computer as firewall, then into a switch with my other home computers are connected to.

Internet --> |Linux box| --> switch --> My other computers

What i'm trying to do is hosting a FTP server on one of my other computers. As i have figured i should only need to enable portforwarding for the appropriate port?

So i've tried this:
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 8888 -j DNAT --to 192.168.0.2:21

/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT

I doesn't do it for me...

My firewall scipt looks like this:

#!/bin/sh
FWVER=0.75
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
#
#
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#
#
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#
#
echo -en " loading modules: "
#
echo " - Verifying that all kernel modules are ok -"
$DEPMOD -a
#
#
echo -en "ip_tables, "
$MODPROBE ip_tables
#
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
#
#
echo -e " Done loading modules.\n"
#
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
#
#
echo " FWD: Allowing all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionallity on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e " \nrc.firewall-2.4 v$FWVER done.\n"
 
Old 07-10-2004, 05:02 AM   #2
mardanian
Member
 
Registered: Mar 2004
Distribution: Fedora
Posts: 254

Rep: Reputation: 30
try with -o eth1 in both the above rules
 
Old 07-10-2004, 08:45 AM   #3
Krao
LQ Newbie
 
Registered: Jun 2004
Posts: 8

Original Poster
Rep: Reputation: 0
I have already tried that.
I read somewhere that the order you enter stuff to iptables matters, and maybe there is some stuff in my firewall script that needs to come after the routing?
Well, thanks for reply. Anyone else knows something that can help me or somewhere i can read more about it?
 
Old 07-10-2004, 11:37 AM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
you would also require a prerouting entry for ftp data (higher ports) to flow in addition to port 21.

Consider using -m conntrack --ctstate

If you are using vsftpd, consider using

pasv_min_port and pasv_max_port so your ftp data filter won't have to open up all the higher ports
 
Old 07-11-2004, 03:31 AM   #5
Krao
LQ Newbie
 
Registered: Jun 2004
Posts: 8

Original Poster
Rep: Reputation: 0
Humm, didn't quite follow that. Use -m conntrack --cstate where?
Getting you correctly if you mean that the dataflow is on other ports than 21 and they too need to be routed, and that's where theese things come in to help me find those higher ports?
 
Old 07-11-2004, 03:40 AM   #6
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
-m conntrack will let you keep states - for the ports that are opened up for ftp data; Makes sure the connections that claim to be for ftp data are indeed in response to the existing connection on port 21.

The man pages for iptables has this ...

conntrack
This module, when combined with connection tracking, allows access to
more connection tracking information than the "state" match. (this
module is present only if iptables was compiled under a kernel support-
ing this feature)

--ctstate state
Where state is a comma separated list of the connection states
to match. Possible states are INVALID meaning that the packet
is associated with no known connection, ESTABLISHED meaning that
the packet is associated with a connection which has seen pack-
ets in both directions, NEW meaning that the packet has started
a new connection, or otherwise associated with a connection
which has not seen packets in both directions, and RELATED mean-
ing that the packet is starting a new connection, but is associ-
ated with an existing connection, such as an FTP data transfer,
or an ICMP error. SNAT A virtual state, matching if the origi-
nal source address differs from the reply destination. DNAT A
virtual state, matching if the original destination differs from
the reply source.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Shared Hosting server Gaz25 Linux - Networking 3 05-31-2005 10:00 AM
hosting and ping samba server name as well as mail server name simultaneously cbekannan Linux - General 2 01-11-2005 01:11 AM
hosting server wood Linux - General 3 06-05-2004 01:54 PM
how do i ping my server , what is my server name , web hosting waheedrafiq Linux - Software 7 12-03-2003 12:35 PM
How to setup a Hosting server? coolgy768 Linux - Newbie 2 11-10-2003 01:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration