[LARTC] DNAT rule for vsftp (PASSIVE FTP)

[LARTC] DNAT rule for vsftp (PASSIVE FTP)

[Indunil Jayasooriya]

[-- Attachment #1.1: Type: text/plain, Size: 1698 bytes --]

Hi all,

I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as
passive ftp.

the theroy behind passive ftp is ,


   - FTP server's port 21 from anywhere (Client initiates connection)
   - FTP server's port 21 to ports > 1024 (Server responds to client's
   control port)
   - FTP server's ports > 1024 from anywhere (Client initiates data
   connection to random port specified by server)
   - FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs
   (and data) to client's data port)



Then, How can I write DNAT rules.

pls assume 1.2.3.4 is the ip of the internert interface.

#DNAT from Internet to the box running VSFTP @ 192.168.100.3
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT
--to-destination 192.168.100.3:21
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j
DNAT --to-destination 192.168.100.3

And also
#connect to below ip (actual destination ip) with below ports,due to DNATing

iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW
-j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state
NEW -j ACCEPT


R u okay with the above 4 rules ?

If WRONG, pls write down your rules. I am going to put this vsftp server in
to PRODUCTION USE.


Pls also make sure , my firewall has below rules such as DROP,
ESTABLISHED,RELATED.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


YOUR comments.


-- 
Thank you
Indunil Jayasooriya

[-- Attachment #1.2: Type: text/html, Size: 2848 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)

[Grant Taylor]

On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote:
> I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as 
> passive ftp.

Ok...

> Then, How can I write DNAT rules.

You don't want to write rules for each possible combination.

> YOUR comments.

Use the FTP helper module as it is meant to take care of this for you.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)

[Indunil Jayasooriya]

[-- Attachment #1.1: Type: text/plain, Size: 780 bytes --]

On 10/5/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
>
> On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote:
> > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as
> > passive ftp.
>
> Ok...
>
> > Then, How can I write DNAT rules.
>
> You don't want to write rules for each possible combination.
>
> > YOUR comments.
>
> Use the FTP helper module as it is meant to take care of this for you.
>
> What is FTP helper module?


is it ip_nat_ftp ?

ANYWAY,  I have  loaded below  2 modules.

/sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp

YOUR COMMENTS.


Grant. . . .
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>



-- 
Thank you
Indunil Jayasooriya

[-- Attachment #1.2: Type: text/html, Size: 1450 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)

[Grant Taylor]

On 10/05/07 02:16, Indunil Jayasooriya wrote:
> What is FTP helper module? 

As I understand it, the Connection Tracking FTP helper module is 
essentially a small module / algorithm that you load in to the 
Connecting Tracking structure (via the below modules) to watch what ftp 
commands you send out and / or receive so that it can dynamically on the 
fly update the connection tracking table to allow the other negotiated 
ports that FTP uses through statefull packet inspection.  In other words 
you should not need to write explicit rules for control and data 
connections be it active or passive.

> is it ip_nat_ftp ?

Yes.

> ANYWAY,  I have  loaded below  2 modules.
> 
> /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp  
> 
> YOUR COMMENTS.

That should work.

I'll have to double check some things to make sure that you don't need 
to do any thing special other than just allow the initial connection and 
rely on the FTP connection tracking helper to handle all other connections.

I've never run an FTP server behind a NAT, but I've never had a problem 
with the FTP client behind the NAT with the above modules loaded. 
Though it is my understanding that the module will take care of both.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc