From mboxrd@z Thu Jan 1 00:00:00 1970 From: Gustav Petersson Subject: Re: how do i forward ftp from my firewall to an internal server? Date: Sun, 29 Feb 2004 23:10:38 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <4042635E.1060702@karlskrona.net> References: <200402292058.i1TKwEPr002615@server5.bandwidthco.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200402292058.i1TKwEPr002615@server5.bandwidthco.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: markee@bandwidthco.com Cc: netfilter@lists.netfilter.org I cleaned up my script a bit as you suggested but with the same result. I should mention that outbound ftp works just fine. Here is the revised script: #!/bin/sh EXTIF=eth0 INTIF=eth1 EXTIP=213.88.181.68 INTIP=192.168.150.3 LOCALNET=192.168.150.0 FTPSVR=192.168.150.10 HTTPSVR=192.168.150.10 # Enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Load modules modprobe ip_conntrack_ftp modprobe ip_nat_ftp # Set default policies and flush tables iptables -t nat -F iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD # Masquerade on $EXTIF iptables -t nat -A POSTROUTING -o $EXTIF -s $LOCALNET/24 -d ! $LOCALNET/24 \ # here I have tried both with and without the -d ! $LOCALNET/24 -j SNAT --to $EXTIP # Forward ftp traffic to internal server iptables -t nat -A PREROUTING -d $EXTIP -p TCP --dport 21 \ -j DNAT --to $FTPSVR:21 # Forward http traffic to internal server iptables -t nat -A PREROUTING -d $EXTIP -p TCP --dport 80 \ -j DNAT --to $HTTPSVR:80 Mark E. Donaldson wrote: >Yes - I see what you are saying now. And indeed, if your FORWARD policy is >set to ACCEPT, your packets should be properly DNATTED with the rules you >list. And you are correct, the FTPD application in use would not be a factor >at all here. You also seem to have all the needed modules you need loaded as >well. So, how do we fix this? > >First a question on your SNAT rule: iptables -t nat -A POSTROUTING -o eth0 >-j SNAT --to 213.88.181.68 > >Is 213.88.181.68 the external IP? If so, is it the same as the variable >$EXP_IP is set to, and if so why not use $EXP_IP instead? I would also add >a -s address or network to the rule to assure only the packets you want >SNATTED are SNATTED. I doubt if this is causing your problem, but these >things need to get cleaned up to help troubleshoot the problem. > >Next - run an lsmod after your ruleset is loaded to confirm all the needed >modules have loaded. > >Also - I notice you are flushing your NAT table after you have set your >default policies: iptables -t nat -F. I would move this up and flush before >the policies are set. > >Try all this and we shall go from there. > >-----Original Message----- >From: Gustav Petersson [mailto:gustav.petersson@karlskrona.net] >Sent: Sunday, February 29, 2004 11:15 AM >To: markee@bandwidthco.com >Cc: netfilter@lists.netfilter.org >Subject: Re: how do i forward ftp from my firewall to an internal server? > >Thanks for your reply Mark. >I should have explained better. I know that ftp uses two ports with a >different setup for active and passive mode. That is not the problem. >Right now I am only DNATing the control port and my INPUT,OUTPUT and FORWARD >chains have a default policy of ACCEPT. The rules I posted are the _only_ >rules I have for my firewall. The problem is that when I telnet to my $EXTIP >port 21 I should get a welcome message and be able to send some commands but >from logging all traffic to and from my internal ftp server I can see the >following traffic: >Client->FTP: SYN >FTP->Client: SYN ACK >Client->FTP: ACK >FTP->Client: ACK PSH >FTP->Client: ACK PSH >FTP->Client: ACK PSH >FTP->Client: ACK PSH >Client->FTP: RST > >after this short exchange the connection is terminated. If i telnet to >$EXTIP port 80 and do a 'GET /' everything works fine. I have tried proftpd, >in.ftpd, wu-ftpd and they all give the same result so it's not a problem >with the ftp server software. > >Gustav Petersson > >Mark E. Donaldson wrote: > > > >>The FTP protocol works completely differently than http, particularly >>in the way connections are negotiated and accepted. You must also >>account for both active and passive modes. I'm assuming the rules you >>have here are for new connections to your FTP server? What are your >>FTP rules for the FORWARD chain? >> >>-----Original Message----- >>From: netfilter-admin@lists.netfilter.org >>[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Gustav >>Petersson >>Sent: Saturday, February 28, 2004 12:28 AM >>To: netfilter@lists.netfilter.org >>Subject: how do i forward ftp from my firewall to an internal server? >> >>Like the subject line says.. how do I do it? >> >>I have port http traffic forwarded to the same server but when i use >>the same rule with only the port(s) changed for ftp traffic my ftp >>server opens the connection but immediately closes it again. I have >>tried running both the standard in.ftpd and proftpd. Any help would be >> >> >greatly appreciated. > > >>Gustav Petersson >> >>I am running debian 3.0 with kernel 2.4.24 and I have the following >>modules >>loaded: >> >>ipt_LOG >>ipt_state >>iptable_filter >>ip_nat_ftp >>ip_conntrack_ftp >>iptable_nat >>ip_conntrack >>ip_tables >> >>Here is my firewall config: >>#!/bin/sh >> >>EXT_IP=1.2.3.4 >>INT_IP=192.168.x.x >> >>modprobe iptable_nat >>modprobe ip_conntrack_ftp >>modprobe ip_nat_ftp >> >>echo "1" > /proc/sys/net/ipv4/ip_forward >> >>iptables -P INPUT ACCEPT >>iptables -F INPUT >>iptables -P OUTPUT ACCEPT >>iptables -F OUTPUT >>iptables -P FORWARD ACCEPT >>iptables -F FORWARD >>iptables -t nat -F >> >># NAT >>iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 213.88.181.68 >> >> >> >> >># Forward port 80 to internal server >>iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 80 \ >> -j DNAT --to $INT_IP:80 >> >># Forward ports 20 and 21 to internal server iptables -A PREROUTING -t >>nat -p tcp -d $EXT_IP --dport 20 \ >> -j DNAT --to $INT_IP:20 >> >> >> >>iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 21 \ >> -j DNAT --to $INT_IP:21 >> >> >> >> >> >> >> >> > > > >