ftp forwarding

ftp forwarding

[Wasim Bashir]

[-- Attachment #1: Type: text/plain, Size: 352 bytes --]

Hi,

I've been trying to forward port 21 to an ftp server on another machine, IP
address  10.0.0.199.

eth1 - external (connected to the net)
eth0 - internal

/sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to
10.0.0.199:21

but can't get it to work..

any ideas ?


[-- Attachment #2: Type: text/html, Size: 1674 bytes --]

FTP Forwarding

[Bantam]

Hi,

I've been trying to forward port 21 to an ftp server on another machine, IP
address  10.0.0.199.

eth1 - external (connected to the net)
eth0 - internal

/sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to
10.0.0.199:21

but can't get it to work..

any ideas ?

Thanks

Wasim

Re: FTP Forwarding

[Alexey Sheshka]

On Fri, 22 Nov 2002 10:08:16 -0000
Bantam <netfilter@end.yorks.com> wrote:

> Hi,
> 
> I've been trying to forward port 21 to an ftp server on another machine, IP
> address  10.0.0.199.
> 
> eth1 - external (connected to the net)
> eth0 - internal
> 
> /sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
> /sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to
> 10.0.0.199:21
> 
> but can't get it to work..
> 
> any ideas ?
> 

FTP is a complex protocol .
http://www.freesoft.org/CIE/Topics/69.htm

> Thanks
> 
> Wasim
> 
> 
> 


-- 
Sheshka Aleksey
Senior Security Administrator

PGP key : http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x0BE90515

Re: FTP Forwarding

[Alexey Sheshka]

On Fri, 22 Nov 2002 10:08:16 -0000
Bantam <netfilter@end.yorks.com> wrote:

> Hi,
> 
> I've been trying to forward port 21 to an ftp server on another machine, IP
> address  10.0.0.199.
> 
> eth1 - external (connected to the net)
> eth0 - internal
> 
> /sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
> /sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to
> 10.0.0.199:21
> 
> but can't get it to work..
> 
> any ideas ?
> 

FTP is a complex protocol .
http://www.freesoft.org/CIE/Topics/69.htm

> Thanks
> 
> Wasim
> 
> 
> 


-- 
Sheshka Aleksey
Senior Security Administrator

PGP key : http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x0BE90515

RE: FTP Forwarding

[Stewart Thompson]

Wasim:

	If you do an lsmod, does it show  that
ip_nat_ftp and ip_conntrack_ftp are loaded?
They are required to make ftp work through nat.
Also what Linux Distro and Iptables are you using?

Stu.........



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Bantam
Sent: November 22, 2002 2:08 AM
To: netfilter
Subject: FTP Forwarding

Hi,

I've been trying to forward port 21 to an ftp server on another machine, IP
address  10.0.0.199.

eth1 - external (connected to the net)
eth0 - internal

/sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to
10.0.0.199:21

but can't get it to work..

any ideas ?

Thanks

Wasim

RE: FTP Forwarding

[Rob Sterenborg]

> /sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
> /sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 
> -j DNAT --to
> 10.0.0.199:21

Do you also have something like :
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT


Rob

RE: FTP Forwarding

[Wasim Bashir]

Hi,

neither ip_nat_ftp and ip_conntrack_ftp are loaded, how do i load these ?

I'm using redhat 8.

Regards,

Wasim


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Stewart
Thompson
Sent: 22 November 2002 10:32
To: Bantam; netfilter
Subject: RE: FTP Forwarding


Wasim:

	If you do an lsmod, does it show  that
ip_nat_ftp and ip_conntrack_ftp are loaded?
They are required to make ftp work through nat.
Also what Linux Distro and Iptables are you using?

Stu.........



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Bantam
Sent: November 22, 2002 2:08 AM
To: netfilter
Subject: FTP Forwarding

Hi,

I've been trying to forward port 21 to an ftp server on another machine, IP
address  10.0.0.199.

eth1 - external (connected to the net)
eth0 - internal

/sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to
10.0.0.199:21

but can't get it to work..

any ideas ?

Thanks

Wasim

RE: FTP Forwarding

[Stewart Thompson]

Wasim:

	Put the following lines at the beginning of your script
	/sbin/insmod ip_conntrack_ftp
	/sbin/insmod ip_conntrack_ftp
	That is the path on my system. Do a which insmod to
make sure that is right for your system. I am not running 8.0 on
any of the systems I look after. Theoretically, the system should
load them when they are all referenced. However, I specifically load
all the ones I need in my firewall script. Also, see Rob's rule for
related and established. Also, if you want people to be able to
initiate FTP sessions from outside your network, you will also nee
to allow new connections. Hope that helps.

Stu.............


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Wasim Bashir
Sent: November 22, 2002 2:37 AM
To: stewart.thompson; 'Bantam'; 'netfilter'
Subject: RE: FTP Forwarding

Hi,

neither ip_nat_ftp and ip_conntrack_ftp are loaded, how do i load these ?

I'm using redhat 8.

Regards,

Wasim


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Stewart
Thompson
Sent: 22 November 2002 10:32
To: Bantam; netfilter
Subject: RE: FTP Forwarding


Wasim:

        If you do an lsmod, does it show  that
ip_nat_ftp and ip_conntrack_ftp are loaded?
They are required to make ftp work through nat.
Also what Linux Distro and Iptables are you using?

Stu.........



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Bantam
Sent: November 22, 2002 2:08 AM
To: netfilter
Subject: FTP Forwarding

Hi,

I've been trying to forward port 21 to an ftp server on another machine, IP
address  10.0.0.199.

eth1 - external (connected to the net)
eth0 - internal

/sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to
10.0.0.199:21

but can't get it to work..

any ideas ?

Thanks

Wasim

RE: FTP Forwarding

[Wasim Bashir]

Hi,

Many thanks for your help, got it all working!!!

Thanks

Wasim


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Stewart
Thompson
Sent: 22 November 2002 11:09
To: wasim.bashir; 'Bantam'; 'netfilter'
Subject: RE: FTP Forwarding


Wasim:

	Put the following lines at the beginning of your script
	/sbin/insmod ip_conntrack_ftp
	/sbin/insmod ip_conntrack_ftp
	That is the path on my system. Do a which insmod to
make sure that is right for your system. I am not running 8.0 on
any of the systems I look after. Theoretically, the system should
load them when they are all referenced. However, I specifically load
all the ones I need in my firewall script. Also, see Rob's rule for
related and established. Also, if you want people to be able to
initiate FTP sessions from outside your network, you will also nee
to allow new connections. Hope that helps.

Stu.............


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Wasim Bashir
Sent: November 22, 2002 2:37 AM
To: stewart.thompson; 'Bantam'; 'netfilter'
Subject: RE: FTP Forwarding

Hi,

neither ip_nat_ftp and ip_conntrack_ftp are loaded, how do i load these ?

I'm using redhat 8.

Regards,

Wasim


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Stewart
Thompson
Sent: 22 November 2002 10:32
To: Bantam; netfilter
Subject: RE: FTP Forwarding


Wasim:

        If you do an lsmod, does it show  that
ip_nat_ftp and ip_conntrack_ftp are loaded?
They are required to make ftp work through nat.
Also what Linux Distro and Iptables are you using?

Stu.........



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Bantam
Sent: November 22, 2002 2:08 AM
To: netfilter
Subject: FTP Forwarding

Hi,

I've been trying to forward port 21 to an ftp server on another machine, IP
address  10.0.0.199.

eth1 - external (connected to the net)
eth0 - internal

/sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to
10.0.0.199:21

but can't get it to work..

any ideas ?

Thanks

Wasim

Re: FTP Forwarding

[Erdal Mutlu]

Hello,

On Fri, 22 Nov 2002, Bantam wrote:

> Hi,
>
> I've been trying to forward port 21 to an ftp server on another machine, IP
> address  10.0.0.199.
>
> eth1 - external (connected to the net)
> eth0 - internal
>
> /sbin/iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
> /sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to
> 10.0.0.199:21
>
> but can't get it to work..
>
> any ideas ?
>
> Thanks
>
> Wasim

I think you need to specify -o eth0 in the FORWARD table like this:

/sbin/iptables -A FORWARD -p tcp -i eth1 -o eth0 --dport 21 -j ACCEPT


You will also need:

/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 --sport 21 -j ACCEPT

for packets comming from your ftp server.

Generally for FTP connections you will also need to forward port 20, the
ftp data stream.

Is your 10.0.0.199 serving th Internet or is it only local network.
If it is for the Internet, then you need SNAT to a real IP on the
firewall.

I would suggest you to use IP connection tracking instead:

ipt=iptables
GW_IP=your firewall's IP on eth1 (a real IP)

### Enable ESTABLISHED,RELATED connections
$ipt -A FORWARD -i eth1 -o eth0 --match state --state ESTABLISHED,RELATED
--jump ACCEPT

### Enable FTP data
$ipt -A FORWARD -i eth1 -o eth0 -d 10.0.0.199 --dport 20 -m state
--state NEW -j ACCEPT

### Enable FTP
$ipt -A FORWARD -i eth1 -o eth0 -d 10.0.0.199 --dport 21 -m state
--state NEW -j ACCEPT

### DNAT FTP data
$ipt -t nat -A PREROUTING -i eth1 -d $GW_IP --dport 20 -j DNAT
--to-destination 10.0.0.199:20

### DNAT FTP
$ipt -t nat -A PREROUTING -i eth1 -d $GW_IP --dport 21 -j DNAT
--to-destination 10.0.0.199:21

### SNAT
$ipt -t nat -A POSTROUTING -o eth1 -s 10.0.0.199 -j SNAT
--to-source $GW_IP

Hope it helps.


Erdal Mutlu

RE: FTP Forwarding

[Rob Sterenborg]

> You will also need:
>
> /sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 --sport 21 -j ACCEPT

Doesn't the "-m state --state RELATED,ESTABLISHED -j ACCEPT" take care of
all this ?


Rob

Re: FTP Forwarding

[Roy Sigurd Karlsbakk]

On Friday 22 November 2002 13:02, Rob Sterenborg wrote:
> > You will also need:
> >
> > /sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 --sport 21 -j ACCEPT
>
> Doesn't the "-m state --state RELATED,ESTABLISHED -j ACCEPT" take care of
> all this ?

it does on my host. I'm doing DNATing of ftp too, and it works fine
-- 
Roy Sigurd Karlsbakk, Datavaktmester
ProntoTV AS - http://www.pronto.tv/
Tel: +47 9801 3356

Computers are like air conditioners.
They stop working when you open Windows.

FTP Forwarding

[umar draz]

Hi Dear Members!
 
  i have linux machine which configured as a router
 
  my linux router has 2 NIC one with Public ip 202.147.167.99 and other is local ip 192.168.0.1
  i have a another linux machine which configured as a FTP server and that machine ip is 192.168.0.5. Now i want my this ftp server can be access all world. so what kind of iptables rules will be add on linux router that if some one want to access ftp 202.147.167.99 its automaticaly forward or redirect my local machine 192.168.0.5.
 
 Please help me in this regard
 
Thanks
 
Umar

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: FTP Forwarding

[Jason Opperisano]

On Tue, 2004-12-28 at 12:19, umar draz wrote:
> Hi Dear Members!
>  
>   i have linux machine which configured as a router
>  
>   my linux router has 2 NIC one with Public ip 202.147.167.99 and other is local ip 192.168.0.1
>   i have a another linux machine which configured as a FTP server and that machine ip is 192.168.0.5. Now i want my this ftp server can be access all world. so what kind of iptables rules will be add on linux router that if some one want to access ftp 202.147.167.99 its automaticaly forward or redirect my local machine 192.168.0.5.
>  
>  Please help me in this regard
>  
> Thanks
>  
> Umar

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \
  --dport 21 -j DNAT --to-destination 192.168.0.5

iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \
  --dport 21 -j ACCEPT

the above assumes you have a rule in FORWARD that accepts established
packets, such as:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

hth...

-j

--
"Well, I'm tired of being a wannabe league bowler. I wanna be a
 league bowler!"
	--The Simpsons

Re: FTP Forwarding

[Test Mail]

Hi!Can i have a follow up question regarding FTP server inside internal LAN
which can be seen in the internet.....
now what if the scenario is i want to restrict a specific Public IP Address
in using my FTP what will be the rules that i should  apply?

I was thinking of setting up a rule that will filter incomming Public IP
Address request for ftp before it forwards it into my internal FTP Server.

Below are the sample entry in my iptables:
iptables -t filter -A INPUT -p tcp -s $PublicIPAdd --dport 20:21 -j ACCEPT
<--- is this correct?
iptables -t filter -A INPUT -j DROP

Below are the previous solution that you gave.

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

 iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \
   --dport 21 -j DNAT --to-destination 192.168.0.5

 iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \
   --dport 21 -j ACCEPT

 the above assumes you have a rule in FORWARD that accepts established
 packets, such as:

 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

 hth...

 -j

Thanks in advance!
Milo

----- Original Message -----
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, December 29, 2004 01:30 AM
Subject: Re: FTP Forwarding


> On Tue, 2004-12-28 at 12:19, umar draz wrote:
> > Hi Dear Members!
> >
> >   i have linux machine which configured as a router
> >
> >   my linux router has 2 NIC one with Public ip 202.147.167.99 and other
is local ip 192.168.0.1
> >   i have a another linux machine which configured as a FTP server and
that machine ip is 192.168.0.5. Now i want my this ftp server can be access
all world. so what kind of iptables rules will be add on linux router that
if some one want to access ftp 202.147.167.99 its automaticaly forward or
redirect my local machine 192.168.0.5.
> >
> >  Please help me in this regard
> >
> > Thanks
> >
> > Umar
>
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
>
> iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \
>   --dport 21 -j DNAT --to-destination 192.168.0.5
>
> iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \
>   --dport 21 -j ACCEPT
>
> the above assumes you have a rule in FORWARD that accepts established
> packets, such as:
>
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> hth...
>
> -j
>
> --
> "Well, I'm tired of being a wannabe league bowler. I wanna be a
>  league bowler!"
> --The Simpsons
>
>

Re: FTP Forwarding

[Deepak Seshadri]

iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -s $PublicIPAdd -d 
202.147.167.99 \
   --dport 21 -j DNAT --to-destination 192.168.0.5


Deepak Seshadri



----- Original Message ----- 
From: "Test Mail" <testmail@peterpaul.com.ph>
To: "Netfilter Mailing List" <netfilter@lists.netfilter.org>
Sent: Friday, January 14, 2005 3:57 AM
Subject: Re: FTP Forwarding


> Hi!Can i have a follow up question regarding FTP server inside internal 
> LAN
> which can be seen in the internet.....
> now what if the scenario is i want to restrict a specific Public IP 
> Address
> in using my FTP what will be the rules that i should  apply?
>
> I was thinking of setting up a rule that will filter incomming Public IP
> Address request for ftp before it forwards it into my internal FTP Server.
>
> Below are the sample entry in my iptables:
> iptables -t filter -A INPUT -p tcp -s $PublicIPAdd --dport 20:21 -j ACCEPT
> <--- is this correct?
> iptables -t filter -A INPUT -j DROP
>
> Below are the previous solution that you gave.
>
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
>
> iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \
>   --dport 21 -j DNAT --to-destination 192.168.0.5
>
> iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \
>   --dport 21 -j ACCEPT
>
> the above assumes you have a rule in FORWARD that accepts established
> packets, such as:
>
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> hth...
>
> -j
>
> Thanks in advance!
> Milo
>
> ----- Original Message -----
> From: "Jason Opperisano" <opie@817west.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Wednesday, December 29, 2004 01:30 AM
> Subject: Re: FTP Forwarding
>
>
>> On Tue, 2004-12-28 at 12:19, umar draz wrote:
>> > Hi Dear Members!
>> >
>> >   i have linux machine which configured as a router
>> >
>> >   my linux router has 2 NIC one with Public ip 202.147.167.99 and other
> is local ip 192.168.0.1
>> >   i have a another linux machine which configured as a FTP server and
> that machine ip is 192.168.0.5. Now i want my this ftp server can be 
> access
> all world. so what kind of iptables rules will be add on linux router that
> if some one want to access ftp 202.147.167.99 its automaticaly forward or
> redirect my local machine 192.168.0.5.
>> >
>> >  Please help me in this regard
>> >
>> > Thanks
>> >
>> > Umar
>>
>> modprobe ip_conntrack_ftp
>> modprobe ip_nat_ftp
>>
>> iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \
>>   --dport 21 -j DNAT --to-destination 192.168.0.5
>>
>> iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \
>>   --dport 21 -j ACCEPT
>>
>> the above assumes you have a rule in FORWARD that accepts established
>> packets, such as:
>>
>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> hth...
>>
>> -j
>>
>> --
>> "Well, I'm tired of being a wannabe league bowler. I wanna be a
>>  league bowler!"
>> --The Simpsons
>>
>>
>
>
> 

Re: FTP Forwarding

[Jason Opperisano]

On Fri, 2005-01-14 at 03:57, Test Mail wrote:
> Hi!Can i have a follow up question regarding FTP server inside internal LAN
> which can be seen in the internet.....
> now what if the scenario is i want to restrict a specific Public IP Address
> in using my FTP what will be the rules that i should  apply?
> 
> I was thinking of setting up a rule that will filter incomming Public IP
> Address request for ftp before it forwards it into my internal FTP Server.
> 
> Below are the sample entry in my iptables:
> iptables -t filter -A INPUT -p tcp -s $PublicIPAdd --dport 20:21 -j ACCEPT
> <--- is this correct?
> iptables -t filter -A INPUT -j DROP
> 
> Below are the previous solution that you gave.
> 
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> 
>  iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \
>    --dport 21 -j DNAT --to-destination 192.168.0.5
> 
>  iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \
>    --dport 21 -j ACCEPT

change that rule to something like:

  iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn \
    -s $PublicIPAdd -d 192.168.0.5 --dport 21 -j ACCEPT

repeat for multiple instances of $PublicIPAdd.

-j

--
"It's not easy to juggle a pregnant wife and a troubled child, but
 somehow I managed to fit in eight hours of TV a day."
	--The Simpsons

Re: FTP Forwarding

[Jason Opperisano]

On Fri, 2005-01-14 at 06:38, Deepak Seshadri wrote:
> iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -s $PublicIPAdd -d 
> 202.147.167.99 \
>    --dport 21 -j DNAT --to-destination 192.168.0.5

personally--i don't believe in filtering in NAT.  nat in NAT, and filter
in FILTER; that's why they're there.  it makes the rule set much easier
to troubleshoot, and it saves you time a year from now when you look at
your rules and can't figure out why you can't FTP to that server from
some random IP address, since the FILTER rule is wide open.

-j

--
"Let us all bask in television's warm glowing warming glow."
	--The Simpsons

RE: FTP Forwarding

[Deepak Seshadri]

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Jason Opperisano
> Sent: Friday, January 14, 2005 9:28 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: FTP Forwarding
> 
> On Fri, 2005-01-14 at 06:38, Deepak Seshadri wrote:
> > iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -s $PublicIPAdd -d
> > 202.147.167.99 \
> >    --dport 21 -j DNAT --to-destination 192.168.0.5
> 
> personally--i don't believe in filtering in NAT.  nat in NAT, and filter
> in FILTER; that's why they're there.  it makes the rule set much easier
> to troubleshoot, and it saves you time a year from now when you look at
> your rules and can't figure out why you can't FTP to that server from
> some random IP address, since the FILTER rule is wide open.
> 

Hmm .... thank you for clarifying.

> -j
Deepak

Re: FTP Forwarding

[TestMail]

----- Original Message -----
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, January 14, 2005 10:23 PM
Subject: Re: FTP Forwarding


> On Fri, 2005-01-14 at 03:57, Test Mail wrote:
> > Hi!Can i have a follow up question regarding FTP server inside internal
LAN
> > which can be seen in the internet.....
> > now what if the scenario is i want to restrict a specific Public IP
Address
> > in using my FTP what will be the rules that i should  apply?
> >
> > I was thinking of setting up a rule that will filter incomming Public IP
> > Address request for ftp before it forwards it into my internal FTP
Server.
> >
> > Below are the sample entry in my iptables:
> > iptables -t filter -A INPUT -p tcp -s $PublicIPAdd --dport 20:21 -j
ACCEPT
> > <--- is this correct?
> > iptables -t filter -A INPUT -j DROP
> >
> > Below are the previous solution that you gave.
> >
> > modprobe ip_conntrack_ftp
> > modprobe ip_nat_ftp
> >
> >  iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \
> >    --dport 21 -j DNAT --to-destination 192.168.0.5
> >
> >  iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \
> >    --dport 21 -j ACCEPT
>
> change that rule to something like:
>
>   iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn \
>     -s $PublicIPAdd -d 192.168.0.5 --dport 21 -j ACCEPT
>
> repeat for multiple instances of $PublicIPAdd.
>
> -j
>
> --
> "It's not easy to juggle a pregnant wife and a troubled child, but
>  somehow I managed to fit in eight hours of TV a day."
> --The Simpsons
>

I'm sorry but i think this rule will not be the solution to my problem cause
my ftp server is inside my internal network and automatically my gateway
will "only" be the source from the -s $PublicIPAdd Forward rule parameter...
i think???

Below is my schematic on how i want it to be ..
    1. only 202...1 ip address in my branch office should be allowed to use
my ftp server in my head office

        so incoming ftp request should be filtered and only 202....1 ip
address that is coming from my branch office should be allowed.

| Branch | eth0 202. .1       < external
       |
       |
| WAN  |
       |
       |
|gateway:firewall:FCore2|  eth0 192.168...  < internal <<<<<<
       |                                 eth1 202........    <external
       |
       |
|Ftp Server:FCore2| eth0 192.168.0.5 < Internal
--------CUT ----------------------------------------------------------------
:::::2nd Question:::::
if i apply a policy >>>> iptables -P INPUT DROP
                                    iptables -t filter -A INPUT -p tcp -s
192.168.0.1 -d 192.168.0.2 --dport 20:21 ACCEPT

means only 192.168.0.1 will only be allowed to use ftp and the rest will be
drop ???? am i correct??

--------CUT-----------------------------------------------------------------

Thanks in advance.

Still learning iptables..
Milo

RE: FTP Forwarding

[Hudson Delbert J Contr 61 CS/SCBN]

JASON,

is this your network? or is it the companies?
what i would suggest s/be analyzed based on whose it is.

if its your network or its the firms and you can convince them it
would be worth the effort. put a bastion ftp server on the outside 
lock it down and NEVER let the Internet inside otherwise why even
have a firewall....

kiss principle..

any other ideas the list comes up with will no doubt be of technical
assistance to you but for a longer life do it this way. 

control types of traffic outbound and NEVER let the outside use internal
resources ever.

~piranha

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of TestMail
Sent: Sunday, January 16, 2005 11:32 PM
To: Jason Opperisano
Cc: Netfilter Mailing List
Subject: Re: FTP Forwarding



----- Original Message -----
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, January 14, 2005 10:23 PM
Subject: Re: FTP Forwarding


> On Fri, 2005-01-14 at 03:57, Test Mail wrote:
> > Hi!Can i have a follow up question regarding FTP server inside internal
LAN
> > which can be seen in the internet.....
> > now what if the scenario is i want to restrict a specific Public IP
Address
> > in using my FTP what will be the rules that i should  apply?
> >
> > I was thinking of setting up a rule that will filter incomming Public IP
> > Address request for ftp before it forwards it into my internal FTP
Server.
> >
> > Below are the sample entry in my iptables:
> > iptables -t filter -A INPUT -p tcp -s $PublicIPAdd --dport 20:21 -j
ACCEPT
> > <--- is this correct?
> > iptables -t filter -A INPUT -j DROP
> >
> > Below are the previous solution that you gave.
> >
> > modprobe ip_conntrack_ftp
> > modprobe ip_nat_ftp
> >
> >  iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \
> >    --dport 21 -j DNAT --to-destination 192.168.0.5
> >
> >  iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \
> >    --dport 21 -j ACCEPT
>
> change that rule to something like:
>
>   iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn \
>     -s $PublicIPAdd -d 192.168.0.5 --dport 21 -j ACCEPT
>
> repeat for multiple instances of $PublicIPAdd.
>
> -j
>
> --
> "It's not easy to juggle a pregnant wife and a troubled child, but
>  somehow I managed to fit in eight hours of TV a day."
> --The Simpsons
>

I'm sorry but i think this rule will not be the solution to my problem cause
my ftp server is inside my internal network and automatically my gateway
will "only" be the source from the -s $PublicIPAdd Forward rule parameter...
i think???

Below is my schematic on how i want it to be ..
    1. only 202...1 ip address in my branch office should be allowed to use
my ftp server in my head office

        so incoming ftp request should be filtered and only 202....1 ip
address that is coming from my branch office should be allowed.

| Branch | eth0 202. .1       < external
       |
       |
| WAN  |
       |
       |
|gateway:firewall:FCore2|  eth0 192.168...  < internal <<<<<<
       |                                 eth1 202........    <external
       |
       |
|Ftp Server:FCore2| eth0 192.168.0.5 < Internal
--------CUT ----------------------------------------------------------------
:::::2nd Question:::::
if i apply a policy >>>> iptables -P INPUT DROP
                                    iptables -t filter -A INPUT -p tcp -s
192.168.0.1 -d 192.168.0.2 --dport 20:21 ACCEPT

means only 192.168.0.1 will only be allowed to use ftp and the rest will be
drop ???? am i correct??

--------CUT-----------------------------------------------------------------

Thanks in advance.

Still learning iptables..
Milo

Re: FTP Forwarding

[Jason Opperisano]

On Mon, 2005-01-17 at 02:31, TestMail wrote:
> I'm sorry but i think this rule will not be the solution to my problem cause
> my ftp server is inside my internal network and automatically my gateway
> will "only" be the source from the -s $PublicIPAdd Forward rule parameter...
> i think???

either you or i misunderstands what $PublicIPAdd stands for.

> Below is my schematic on how i want it to be ..
>     1. only 202...1 ip address in my branch office should be allowed to use
> my ftp server in my head office
> 
>         so incoming ftp request should be filtered and only 202....1 ip
> address that is coming from my branch office should be allowed.
> 
> | Branch | eth0 202. .1       < external
>        |
>        |
> | WAN  |
>        |
>        |
> |gateway:firewall:FCore2|  eth0 192.168...  < internal <<<<<<
>        |                                 eth1 202........    <external
>        |
>        |
> |Ftp Server:FCore2| eth0 192.168.0.5 < Internal

now that you've provided some more details:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --syn \
  -s 202.x.x.1 -d 192.168.0.5 --dport 21 -j ACCEPT

-j

--
"To alcohol: the cause of, and solution to, all of life's problems."
	--The Simpsons