From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Indunil Jayasooriya" Date: Fri, 05 Oct 2007 05:52:23 +0000 Subject: [LARTC] DNAT rule for vsftp (PASSIVE FTP) Message-Id: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============1647609063==" List-Id: To: lartc@vger.kernel.org --===============1647609063== Content-Type: multipart/alternative; boundary="----=_Part_36892_3245652.1191563498744" ------=_Part_36892_3245652.1191563498744 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi all, I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp. the theroy behind passive ftp is , - FTP server's port 21 from anywhere (Client initiates connection) - FTP server's port 21 to ports > 1024 (Server responds to client's control port) - FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) - FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port) Then, How can I write DNAT rules. pls assume 1.2.3.4 is the ip of the internert interface. #DNAT from Internet to the box running VSFTP @ 192.168.100.3 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3 And also #connect to below ip (actual destination ip) with below ports,due to DNATing iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT R u okay with the above 4 rules ? If WRONG, pls write down your rules. I am going to put this vsftp server in to PRODUCTION USE. Pls also make sure , my firewall has below rules such as DROP, ESTABLISHED,RELATED. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT YOUR comments. -- Thank you Indunil Jayasooriya ------=_Part_36892_3245652.1191563498744 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi all,

I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp.

the theroy behind passive ftp is ,

FTP server's port 21 from anywhere ( Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)

Then, How can I write DNAT rules.

pls assume 1.2.3.4 is the ip of the internert interface.

#DNAT from Internet to the box running VSFTP @ 192.168.100.3
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3

And also
#connect to below ip (actual destination ip) with below ports,due to DNATing
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT

R u okay with the above 4 rules ?

If WRONG, pls write down your rules. I am going to put this vsftp server in to PRODUCTION USE.

Pls also make sure , my firewall has below rules such as DROP, ESTABLISHED,RELATED.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

YOUR comments.

--
Thank you
Indunil Jayasooriya
------=_Part_36892_3245652.1191563498744-- --===============1647609063== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============1647609063==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Grant Taylor Date: Fri, 05 Oct 2007 06:55:22 +0000 Subject: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP) Message-Id: <4705DFDA.5090803@riverviewtech.net> List-Id: References: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> In-Reply-To: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote: > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > passive ftp. Ok... > Then, How can I write DNAT rules. You don't want to write rules for each possible combination. > YOUR comments. Use the FTP helper module as it is meant to take care of this for you. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Indunil Jayasooriya" Date: Fri, 05 Oct 2007 07:28:56 +0000 Subject: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP) Message-Id: <7ed6b0aa0710050016i736b0a7cx5d49847096eb00fb@mail.gmail.com> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============2047918699==" List-Id: References: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> In-Reply-To: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> To: lartc@vger.kernel.org --===============2047918699== Content-Type: multipart/alternative; boundary="----=_Part_37068_26451011.1191568616577" ------=_Part_37068_26451011.1191568616577 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline On 10/5/07, Grant Taylor wrote: > > On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote: > > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > > passive ftp. > > Ok... > > > Then, How can I write DNAT rules. > > You don't want to write rules for each possible combination. > > > YOUR comments. > > Use the FTP helper module as it is meant to take care of this for you. > > What is FTP helper module? is it ip_nat_ftp ? ANYWAY, I have loaded below 2 modules. /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp YOUR COMMENTS. Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Thank you Indunil Jayasooriya ------=_Part_37068_26451011.1191568616577 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline

On 10/5/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:

On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote:
> I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as
> passive ftp.

Ok...

> Then, How can I write DNAT rules.

You don't want to write rules for each possible combination.

> YOUR comments.

Use the FTP helper module as it is meant to take care of this for you.

What is FTP helper module?

is it ip_nat_ftp ?

ANYWAY, I have loaded below 2 modules.

/sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp

YOUR COMMENTS.

Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

--
Thank you
Indunil Jayasooriya
------=_Part_37068_26451011.1191568616577-- --===============2047918699== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============2047918699==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Grant Taylor Date: Fri, 05 Oct 2007 14:18:23 +0000 Subject: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP) Message-Id: <470647AF.2090608@riverviewtech.net> List-Id: References: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> In-Reply-To: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org On 10/05/07 02:16, Indunil Jayasooriya wrote: > What is FTP helper module? As I understand it, the Connection Tracking FTP helper module is essentially a small module / algorithm that you load in to the Connecting Tracking structure (via the below modules) to watch what ftp commands you send out and / or receive so that it can dynamically on the fly update the connection tracking table to allow the other negotiated ports that FTP uses through statefull packet inspection. In other words you should not need to write explicit rules for control and data connections be it active or passive. > is it ip_nat_ftp ? Yes. > ANYWAY, I have loaded below 2 modules. > > /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp > > YOUR COMMENTS. That should work. I'll have to double check some things to make sure that you don't need to do any thing special other than just allow the initial connection and rely on the FTP connection tracking helper to handle all other connections. I've never run an FTP server behind a NAT, but I've never had a problem with the FTP client behind the NAT with the above modules loaded. Though it is my understanding that the module will take care of both. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc