iptables: local proFTPd server and remote FTP servers access

jordib · 04-21-2008, 05:05 PM

Hello,

I'm setting up a public services subnetwork and I need some help with iptables. This is what I manage:

Firewall (Debian 4.0r3) with 3 NIC's:

eth0 NET, interface "INET", subnet 192.168.3.0/24, connected to a DSL router pointed by a public static IP address.
eth1 DMZ, interface "IDMZ", subnet 192.168.2.0/24, only one machine
eth2 LOC, interface "ILOC", subnet 192.168.1.0/24 (XLOC)

The default policy for INPUT, OUTPUT, FORWARD chains (and PRE/POST-ROUTING) is DROP.

The firewall masquerades all that comes from LOC and DMZ subnets going to the Internet. The module ip_conntrack_ftp is loaded. Every outbound connection from LOC works good, but FTP doesn't.

I'm having problems with a FTP server (proFTPd) serving in the DMZ.

(1) I want it to be a public server, but I'm not able to access it from the Internet, ruleset

Code:

iptables -t nat -A PREROUTING -i $INET -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to-destination $DMZ:21

iptables -A FORWARD -i $IDMZ -o $INET -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INET -o $IDMZ -p tcp --sport 20:21 -j ACCEPT

the server seems to respond remotely, but cannot login succesfully. I've configured proftpd.conf like this example (HOWTO : Create a FTP server with user access (proftpd) - Ubuntu Forums) but without aliases, syslog.log says that I must check the ServerType directive (standalone) and that cannot bind to 0.0.0.0:21 (addr already in use)

(2) I want it to be accessible from the local network, ruleset

Code:

iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 21 -j DNAT --to-destination $DMZ:21

iptables -A FORWARD -s $XLOC -d $DMZ -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $DMZ -d $XLOC -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

but the firewall stops the connection

(3) Apart from my server, I want to access remote FTP servers from the LAN, ruleset

Code:

iptables -A FORWARD -i $ILOC -o $INET -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 20:21 -j ACCEPT

iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT

but I can only do it in passive mode, how to enable active mode?

thanks for the help...

jordib · 04-26-2008, 06:07 PM

The access to the DMZ ports http & ftp from the LAN works now good, now I must forward the ports from the external router (192.168.3.1), configuring, as it states, the "virtual servers".

The firewall (NET: 192.168.3.2, LOC: 192.168.1.1, DMZ: 192.168.2.1) is configured to forward the packets that enter the NET iface:

Code:

iptables -t -nat -A PREROUTING -i $INET -p tcp --dport 80 -j DNAT --to-destination $DMZ:80

(followed by the rule forwarding the ftp service)

I've tried almost every combination. Either launching the ports 80 and 21 to the DMZ (192.168.2.2) or launcing them to the NET iface of the firewall does not work from the internet. Remotely, it seems as if there where no servers (reaching timeouts). I have a static IP.

I think the problem is in the external DSL router redirection, the monitoring software running in the firewall show no incoming packets when I try to open a remote connection. It is a Comtrend CT-5071.

The CT-5071 also allows defining the DMZ host for redirecting the packets that do not belong to any of the protocols stated in the virtual servers list, but this option makes no difference.

What am I missing?

jordib · 05-04-2008, 02:46 PM

New discussion:

http://www.linuxquestions.org/questi...4/#post3142503