ftp forward to internal machine

ftp forward to internal machine

[Travis Crook]

[-- Attachment #1: Type: text/plain, Size: 958 bytes --]

Hello everyone,
    I have a firewall configured to forward port 80 traffic to an internal machine.  I was wondering if the same thing is possible with ftp traffic.  The rules I am using are as follows:

iptables -A PREROUTING -t nat -i EXTINF -p tcp -d 1.2.3.4 --dport 21 -j DNAT --to 192.168.2.5:21

iptables -A FORWARD -i EXTINF -p tcp -d 192.168.2.5 --dport 21 ACCEPT

iptables -A FORWARD -i EXTINF -o INTIF -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -i EXTINF -p tcp --dport 21 -d 1.2.3.4 -j DNAT --to-destination 192.168.2.5:21

iptables -t nat -A POSTROUTING -o INTIF -p tcp --dport 21 -d 192.168.2.5 -j SNAT --to-source 192.168.2.254

I can connect to the ftp server but then I cannot establish a data channel between the client and the server. 

Any help would be appreciated.  If you want to see output of anything I can include it.

Thanks

Travis Crook
Visions Beyond

[-- Attachment #2: Type: text/html, Size: 1558 bytes --]

Re: ftp forward to internal machine

[Antony Stone]

On Tuesday 04 June 2002 11:00 pm, Travis Crook wrote:

> Hello everyone,
>     I have a firewall configured to forward port 80 traffic to an internal
> machine.  I was wondering if the same thing is possible with ftp traffic. 
> The rules I am using are as follows:
>
> iptables -A PREROUTING -t nat -i EXTINF -p tcp -d 1.2.3.4 --dport 21 -j
> DNAT --to 192.168.2.5:21
>
> iptables -A FORWARD -i EXTINF -p tcp -d 192.168.2.5 --dport 21 ACCEPT
>
> iptables -A FORWARD -i EXTINF -o INTIF -p tcp --dport 21 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -t nat -A PREROUTING -i EXTINF -p tcp --dport 21 -d 1.2.3.4 -j
> DNAT --to-destination 192.168.2.5:21
>
> iptables -t nat -A POSTROUTING -o INTIF -p tcp --dport 21 -d 192.168.2.5 -j
> SNAT --to-source 192.168.2.254
>
> I can connect to the ftp server but then I cannot establish a data channel
> between the client and the server.

You haven't included port 20.

Ftp uses port 21 for the control connection, and port 20 for the data 
connection.   You must translate and forward both of them for ftp to work, 
and even then in these circumstances I think you'll only be able to use 
passive mode.


Antony

Re: ftp forward to internal machine

[Travis Crook]

> You haven't included port 20.
>
I included port 20 and it seems to work fine now.  Thanks!!  Is is possible
to send it over a different port (i.e. 21345 instead of 21, and 20345
instead of 20)?

> Ftp uses port 21 for the control connection, and port 20 for the data
> connection.   You must translate and forward both of them for ftp to work,
> and even then in these circumstances I think you'll only be able to use
> passive mode.
>
>
> Antony
>
>

RE: ftp forward to internal machine

[Omar Castaneda Acosta]

[-- Attachment #1: Type: text/plain, Size: 2256 bytes --]

Why do you have 2 PREROUTING chains?
 
These chains are correct, be sure your ftp NAT modules are loaded with
lsmod (ip_conntrack_ftp & ip_nat_ftp)
 
FTPSERVER=192.168.2.5
SERVICE=21
INTIP=192.168.2.254
EXTIP=1.2.3.4
 
#
# Let's forward traffic with destination $EXTIP to somewhere else, you
can discard the -i $EXTIF if you want
# other interfaces to access the service
#
$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp -d $EXTIP --dport
$SERVICE -j DNAT --to-destination $FTPSERVER
#
# Not really necessary if the default gateway on the FTP server is the
INTIP on the firewall
#
$IPTABLES -A POSTROUTING -t nat -o $INTIF -p tcp -d $FTPSERVER --dport
$SERVICE -j SNAT --to-source $INTIP
#
# A MUST, unless your FORWARD policy is default to ACCEPT
#
$IPTABLES -A FORWARD -i $EXTIF -o $EXTIF -p tcp --dport $SERVICE -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# Just in case your INTERNAL policy is default to DROP
#
$IPTABLES -A FORWARD -o $EXTIF -i $EXTIF -p tcp --dport $SERVICE -m
state --state ESTABLISHED,RELATED -j ACCEPT
 
-- Omar
 
-----Original Message-----
From: Travis Crook [mailto:travis@visionsbeyond.com]
Sent: Tuesday, June 04, 2002 4:00 PM
To: netfilter@lists.samba.org
Subject: ftp forward to internal machine
 
Hello everyone,
    I have a firewall configured to forward port 80 traffic to an
internal machine.  I was wondering if the same thing is possible with
ftp traffic.  The rules I am using are as follows:
 
iptables -A PREROUTING -t nat -i EXTINF -p tcp -d 1.2.3.4 --dport 21 -j
DNAT --to 192.168.2.5:21
 
iptables -A FORWARD -i EXTINF -p tcp -d 192.168.2.5 --dport 21 ACCEPT
 
iptables -A FORWARD -i EXTINF -o INTIF -p tcp --dport 21 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
 
iptables -t nat -A PREROUTING -i EXTINF -p tcp --dport 21 -d 1.2.3.4 -j
DNAT --to-destination 192.168.2.5:21
 
iptables -t nat -A POSTROUTING -o INTIF -p tcp --dport 21 -d 192.168.2.5
-j SNAT --to-source 192.168.2.254
 
I can connect to the ftp server but then I cannot establish a data
channel between the client and the server. 
 
Any help would be appreciated.  If you want to see output of anything I
can include it.
 
Thanks
 
Travis Crook
Visions Beyond

[-- Attachment #2: Type: text/html, Size: 18014 bytes --]

RE: ftp forward to internal machine

[Omar Castaneda Acosta]

I've never included port 20 on my firewall rules and both passive and
active ftp work fine.

-----Original Message-----
From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
Sent: Tuesday, June 04, 2002 4:12 PM
To: netfilter@lists.samba.org
Subject: Re: ftp forward to internal machine

On Tuesday 04 June 2002 11:00 pm, Travis Crook wrote:

> Hello everyone,
>     I have a firewall configured to forward port 80 traffic to an
internal
> machine.  I was wondering if the same thing is possible with ftp
traffic.
> The rules I am using are as follows:
>
> iptables -A PREROUTING -t nat -i EXTINF -p tcp -d 1.2.3.4 --dport 21
-j
> DNAT --to 192.168.2.5:21
>
> iptables -A FORWARD -i EXTINF -p tcp -d 192.168.2.5 --dport 21 ACCEPT
>
> iptables -A FORWARD -i EXTINF -o INTIF -p tcp --dport 21 -m state
--state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -t nat -A PREROUTING -i EXTINF -p tcp --dport 21 -d 1.2.3.4
-j
> DNAT --to-destination 192.168.2.5:21
>
> iptables -t nat -A POSTROUTING -o INTIF -p tcp --dport 21 -d
192.168.2.5 -j
> SNAT --to-source 192.168.2.254
>
> I can connect to the ftp server but then I cannot establish a data
channel
> between the client and the server.

You haven't included port 20.

Ftp uses port 21 for the control connection, and port 20 for the data
connection.   You must translate and forward both of them for ftp to
work,
and even then in these circumstances I think you'll only be able to use
passive mode.


Antony

Re: ftp forward to internal machine

[Antony Stone]

On Tuesday 04 June 2002 11:17 pm, Travis Crook wrote:

> > You haven't included port 20.
>
> I included port 20 and it seems to work fine now.  Thanks!!  Is is possible
> to send it over a different port (i.e. 21345 instead of 21, and 20345
> instead of 20)?

You'd have to nobble the source code of a client or a server (depending on 
which one you want to think the other end is running on a weird port number) 
to get this to work.

You can't just "ftp ftp.microsoft.com:12345" like you can with http....

Antony.

Re: ftp forward to internal machine

[Travis Crook]

Thanks a bunch!!  This list is great!

I think I can get it from here.

Travis Crook
Visions Beyond

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Tuesday, June 04, 2002 4:26 PM
Subject: Re: ftp forward to internal machine


> On Tuesday 04 June 2002 11:17 pm, Travis Crook wrote:
>
> > > You haven't included port 20.
> >
> > I included port 20 and it seems to work fine now.  Thanks!!  Is is
possible
> > to send it over a different port (i.e. 21345 instead of 21, and 20345
> > instead of 20)?
>
> You'd have to nobble the source code of a client or a server (depending on
> which one you want to think the other end is running on a weird port
number)
> to get this to work.
>
> You can't just "ftp ftp.microsoft.com:12345" like you can with http....
>
> Antony.
>
>

Re: ftp forward to internal machine

[Antony Stone]

On Tuesday 04 June 2002 11:24 pm, Omar Castaneda Acosta wrote:

> I've never included port 20 on my firewall rules and both passive and
> active ftp work fine.

Yeah, but I'll bet you're not translating the service to run on a weird port 
number, are you ?

You're almost certainly using "-m state --state RELATED" to handle port 20 
for you.   Isn't stateful inspection wonderful :-)


Antony

Re: ftp forward to internal machine

[Tom Eastep]

On Tue, 4 Jun 2002, Antony Stone wrote:

> On Tuesday 04 June 2002 11:24 pm, Omar Castaneda Acosta wrote:
> 
> > I've never included port 20 on my firewall rules and both passive and
> > active ftp work fine.
> 
> Yeah, but I'll bet you're not translating the service to run on a weird port 
> number, are you ?
> 
> You're almost certainly using "-m state --state RELATED" to handle port 20 
> for you.   Isn't stateful inspection wonderful :-)
> 

And also loading ip_conntrack_ftp.o and ip_nat_ftp.o.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Re: ftp forward to internal machine

[Antony Stone]

On Tuesday 04 June 2002 11:32 pm, Tom Eastep wrote:

> On Tue, 4 Jun 2002, Antony Stone wrote:

> > You're almost certainly using "-m state --state RELATED" to handle port
> > 20 for you.   Isn't stateful inspection wonderful :-)

> And also loading ip_conntrack_ftp.o and ip_nat_ftp.o.

Well, yes, that's where your stateful inspection comes in, innit ?   :-)


Antony.