Portforward from frontend machine to backend machine

dacz · 10-16-2008, 09:23 AM

Hi!

I have one machine with an public ip and a testserver(IP 10.10.6.4) on my network. To this testserver I need ftp connections from outside my lan on port 8121 (Zope ftp instance). Both machines runs debian etch.
I don't care about what software to use, as long as it is opensource. My research leeds to Iptables, but any suggestions to others are welcome.
When opening a ftp connection on local machine everything works perfekt!
I tried to configure iptables but ftp hangs after succesfull connection. I used following commands (remark SERVER is an alias):

Code:

# iptables -A FORWARD -i eth3 -p tcp --dport 8121 -d 10.10.6.4 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
# iptables -t nat -A PREROUTING -p tcp -d SERVER --dport 21 -j DNAT --to 10.10.6.4:8121

My ftp connection:

Code:

# ftp SERVER 21
Connected to yellow.headnet.dk.
220 0.0.0.0 FTP server (Medusa Async V41297 [experimental]) ready.
Name (yellow.headnet.dk:dacz): USER
331 Password required.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list

And then it hangs.
Does the ftp protocol use a port range er anything else than just current choosen 8121???

Does anyone have a suggstion to a solution?

Best regards and thanks!

Dacz

porzech · 10-16-2008, 12:51 PM

there are two modes of ftp conections
active - client opens control connection on port 21 to server and then (after authentication and so Server opens second conection in oposite direction on random high port specified by client at connection initialization time)
passive - client opens both control and data connection control connection is on port 21 and data connection on random portserver tells client the port when connection is initiated port range same as above)

for FTP to work in either mode with iptables You need to load additional module that tracks ftp conections and opens additional data forwarding channels as needed

Code:

# loading iptables and connection tracking 
 modprobe ip_tables
# Connection-Tracking-Module
 modprobe ip_conntrack
 modprobe ip_conntrack_ftp
 modprobe ip_nat_ftp
# -------------
 iptables -t nat -A PREROUTING -i Internet_interface -p tcp --dport 21 -j DNAT --to-destination ip_of_lan_ftp_server:8121
 iptables -A FORWARD -i Internet_interface -m state --state NEW -p tcp -d ip_of_lan_ftp_server --dport 8121 -j ACCEPT
# -------------
# connection tracking rules so server responses can get to ftp client 
 iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i ! Internet_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

this is very simple setup (writing from memory but it should work)

h8ck3rs · 10-16-2008, 12:55 PM

Try using PASV (passive) rather then active ftp. At the ftp prompt type "passive on"

For more info see:

http://www.slacksite.com/other/ftp.html

dacz · 11-05-2008, 06:15 AM

Ok now I'm back to this subject and after reading in the book
"LINUX FIREWALLS Attack Detection and Response with iptables, psad, and fwsnort" everything makes much more scene now

I have made a script and are now running ftp under passive-mode most of the time.
porzech you have a good memory because what you wrote was almost correct!

The script iptables.sh :

Code:

#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
#INT_NET=10.10.6.0/24
### flush existing rules
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
### load connection-tracking modules
$MODPROBE iptable_nat
$MODPROBE ip_conntrack
### NOTE: If not working try with ports defined to ip_conntrack_ftp 21,8121
$MODPROBE ip_conntrack_ftp 
$MODPROBE ip_nat_ftp

######################## INPUT chain ########################
echo "[+] Setting up INPUT chain..."
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
######################## OUTPUT chain ######################
echo "[+] Setting up OUTPUT chain..."
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
######################## FORWARD chain #######################
echo "[+] Setting up FORWARD chain..."
$IPTABLES -A FORWARD -i ! eth3 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

######################## NAT rules ########################
echo "[+] Setting up NAT rules..."
$IPTABLES -t nat -A PREROUTING -i eth3 -p tcp --dport 8121 -j DNAT --to-destination 10.10.6.4:8121
$IPTABLES -t nat -A POSTROUTING -o eth3 -j MASQUERADE 
###### forwarding ######
echo "[+] Enabling IP forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward

Thanks for the help by the way!

-== Dacz ==-