Hello,
I'm setting up a public services subnetwork and I need some help with iptables. This is what I manage:
Firewall (Debian 4.0r3) with 3 NIC's:
eth0 NET, interface "INET", subnet 192.168.3.0/24, connected to a DSL router pointed by a public static IP address.
eth1 DMZ, interface "IDMZ", subnet 192.168.2.0/24, only one machine
eth2 LOC, interface "ILOC", subnet 192.168.1.0/24 (XLOC)
The default policy for INPUT, OUTPUT, FORWARD chains (and PRE/POST-ROUTING) is
DROP.
The firewall masquerades all that comes from LOC and DMZ subnets going to the Internet. The module
ip_conntrack_ftp is loaded. Every outbound connection from LOC works good, but FTP doesn't.
I'm having problems with a FTP server (proFTPd) serving in the DMZ.
(1)
I want it to be a public server, but I'm not able to access it from the Internet, ruleset
Code:
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to-destination $DMZ:21
iptables -A FORWARD -i $IDMZ -o $INET -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INET -o $IDMZ -p tcp --sport 20:21 -j ACCEPT
the server seems to respond remotely, but cannot login succesfully. I've configured proftpd.conf like this example (
HOWTO : Create a FTP server with user access (proftpd) - Ubuntu Forums) but without aliases, syslog.log says that I must check the ServerType directive (standalone) and that cannot bind to 0.0.0.0:21 (addr already in use)
(2)
I want it to be accessible from the local network, ruleset
Code:
iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 21 -j DNAT --to-destination $DMZ:21
iptables -A FORWARD -s $XLOC -d $DMZ -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $DMZ -d $XLOC -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
but the firewall stops the connection
(3)
Apart from my server, I want to access remote FTP servers from the LAN, ruleset
Code:
iptables -A FORWARD -i $ILOC -o $INET -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 20:21 -j ACCEPT
iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
but I can only do it in passive mode, how to enable active mode?
thanks for the help...