Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
11-01-2013, 06:30 AM
|
#1
|
LQ Newbie
Registered: Feb 2011
Posts: 15
Rep:
|
Port forwarding
Hi, All!
I have a problem with forwarding ip ports on my firewall. It is FTP server and SharePoint server, both residing on a Windows Server on my intranet, that I need to make accessible from the internet. A little time ago I did the trick with port forwarding to a SQL server and it worked out just fine. It does not work now with the two servers. Here are the rules I use now:
It's for the FTP server:
-A PREROUTING -d xx.xx.xx.xx -p tcp -m tcp --dport 1021 -j DNAT --to-destination 192.168.2.71
-A FORWARD -d 192.168.2.71 -p tcp --dport 1021 -j ACCEPT
And it's for the SharePoint:
-A PREROUTING -d xx.xx.xx.xx -p tcp -m tcp --dport 9000 -j DNAT --to-destination 192.168.2.71:80
-A FORWARD -d 192.168.2.71 -p tcp --dport 80 -j ACCEPT
Thanks in advance
Last edited by Shakin_Aleksey; 11-01-2013 at 06:31 AM.
|
|
|
11-01-2013, 08:59 AM
|
#2
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep: 
|
There's nothing obviously wrong with your iptables rules. The FTP connection probably won't be picked up by the FTP ALG module since you're using a non-standard port number. Active FTP may or may not work depending your firewall settings and passive FTP will most likely just hang, but you should still be able to log on.
Could you provide some detail? "It does not work" doesn't really tell us much. What kind of error messages are you getting, if any? Do the TCP ports appear to be open or closed from the outside?
(BTW, exposing an SQL server to the Internet sounds like a really dangerous idea, security-wise.)
Last edited by Ser Olmy; 11-01-2013 at 09:05 AM.
|
|
|
11-05-2013, 04:50 AM
|
#3
|
LQ Newbie
Registered: Feb 2011
Posts: 15
Original Poster
Rep:
|
The FTP server works fine in local network. Here is the full log from attempted connection from internet:
----------
Connect to: (05.11.2013 13:33:04)
hostname=xx.xx.xx.xx:1021
username=anonymous
startdir=
xx.xx.xx.xx=00.00.00.00
220 Microsoft FTP Service
USER anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
PASS ***********
230 User logged in.
SYST
215 Windows_NT
FEAT
211-Extended features supported:
LANG EN*
UTF8
AUTH TLS;TLS-C;SSL;TLS-P;
PBSZ
PROT C;P;
CCC
HOST
SIZE
MDTM
REST STREAM
211 END
HELP SITE
214 Syntax: SITE - (site-specific commands)
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
Connect ok!
PWD
257 "/" is current directory.
Get directory
TYPE A
200 Type set to A.
PORT 217,23,133,170,194,60
200 PORT command successful.
LIST
150 Opening ASCII mode data connection.
Download
Cancel pressed!
How I can see it hangs on the "List" command. Why is that?
Port scanner can connect to the the port from internet.
Thanks
Last edited by Shakin_Aleksey; 11-05-2013 at 05:05 AM.
|
|
|
11-05-2013, 07:35 AM
|
#4
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep: 
|
Quote:
Originally Posted by Shakin_Aleksey
How I can see it hangs on the "List" command. Why is that?
|
The FTP protocol uses a separate connection for data transfers. The source port number (on the server side) is usually 20, while a random high port is used on the client side.
The FTP conntrack module (ALG) can open and close ports as needed, while the FTP NAT module can rewrite IP addresses and port numbers in the PORT commands. However, by default they only look for FTP command traffic on TCP port 21.
The client sends a PORT command to the server, telling it the IP address and port number of the data connection. Since this command is sent on a TCP connection to port 1021 rather than port 21, it isn't picked up by the FTP ALG on the firewall. My guess is that when the server then tries to open this secondary connection to send the results of the LIST command, it gets blocked by the firewall.
You have two options: - add a "port" parameter to the nf_conntrack_ftp module, specifying 1021 as an alternate port. Typically, you'll have to add the line options nf_conntrack_ftp ports=21,1021 to a configuration file somewhere (typically a file in /etc/modprobe.d/, but check the documentation for your distribution)
- allow all traffic from and to the data port on the FTP server (you'll have to figure out which port the FTP server uses, and it still might not work if the server uses a dynamic port number)
I would recommend the first alternative. You can do a quick test by running the following commands as root:
Code:
rmmod nf_nat_ftp
rmmod nf_conntrack_ftp
modprobe nf_conntrack_ftp ports=21,1021
modprobe nf_nat_ftp
|
|
1 members found this post helpful.
|
11-06-2013, 05:02 AM
|
#5
|
LQ Newbie
Registered: Feb 2011
Posts: 15
Original Poster
Rep:
|
Yes, the first method works!
Thank you wery much!
|
|
|
All times are GMT -5. The time now is 07:25 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|