* ftp port forwarding
@ 2009-05-20 18:47 Leonardo Carneiro
2009-05-20 20:30 ` Leonardo Carneiro
0 siblings, 1 reply; 2+ messages in thread
From: Leonardo Carneiro @ 2009-05-20 18:47 UTC (permalink / raw)
To: netfilter
Hi fellows,
i'm having a (very basic and noob) problem.
i have a server on a internal network running a ftp server
authenticating on a ldap backend. the ftp setup is running fine and i
can access when i'm on the internal network or over the openvpn link
that links my network with the server network (btw, the openvpn server
runs on the same machine).
but i need to my users to have access to this service over the internet.
the gateway of that network is a linux box with 2 internet links. i've
put the following rules on the iptables script:
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE --dport 21
-j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE_DIN -o $LAN_IFACE --dport
21 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE --dport 20
-j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE_DIN -o $LAN_IFACE --dport
20 -j ACCEPT
(INET_IFACE is the interface with the static ip and low bandwitch,
INET_IFACE_DIN is the interface with dynamic ip (and a dynamic dns
running on it) and higher bandwitch.)
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP
--dport 21 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE_DIN -d
$INET_IP_DIN --dport 21 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP
--dport 20 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE_DIN -d
$INET_IP_DIN --dport 20 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t mangle -A PREROUTING -p TCP -i $LAN_IFACE -s
$FTPSERVER/32 --sport 21 -d 0/0 -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -p TCP -i $LAN_IFACE -s
$FTPSERVER/32 --sport 20 -d 0/0 -j MARK --set-mark 1
(mark 1 send the ftp traffic through the higher bandwitch interface
INET_IFACE_DIN)
i tried to connect over the internet, while running tcpdump on the
ftpserver. the server exchange packets with the client, but do not
stabilish a connection. is there something wrong with the rules?
--
*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ftp port forwarding
2009-05-20 18:47 ftp port forwarding Leonardo Carneiro
@ 2009-05-20 20:30 ` Leonardo Carneiro
0 siblings, 0 replies; 2+ messages in thread
From: Leonardo Carneiro @ 2009-05-20 20:30 UTC (permalink / raw)
To: netfilter
and by the way, the script also load the follwing modules:
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
ip_nat_ftp i assume it's a module that allow doing nat on ftp, but i'm
too noob in iptables and still don't now what conntrack is, so, i'm not
sure if this is have some meaning on this problem or don't.
Leonardo Carneiro escreveu:
> Hi fellows,
>
> i'm having a (very basic and noob) problem.
>
> i have a server on a internal network running a ftp server
> authenticating on a ldap backend. the ftp setup is running fine and i
> can access when i'm on the internal network or over the openvpn link
> that links my network with the server network (btw, the openvpn server
> runs on the same machine).
>
> but i need to my users to have access to this service over the
> internet. the gateway of that network is a linux box with 2 internet
> links. i've put the following rules on the iptables script:
>
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE --dport 21
> -j ACCEPT
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE_DIN -o $LAN_IFACE --dport
> 21 -j ACCEPT
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE --dport 20
> -j ACCEPT
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE_DIN -o $LAN_IFACE --dport
> 20 -j ACCEPT
>
>
> (INET_IFACE is the interface with the static ip and low bandwitch,
> INET_IFACE_DIN is the interface with dynamic ip (and a dynamic dns
> running on it) and higher bandwitch.)
>
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP
> --dport 21 -j DNAT --to-destination $FTPSERVER
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE_DIN -d
> $INET_IP_DIN --dport 21 -j DNAT --to-destination $FTPSERVER
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP
> --dport 20 -j DNAT --to-destination $FTPSERVER
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE_DIN -d
> $INET_IP_DIN --dport 20 -j DNAT --to-destination $FTPSERVER
>
> $IPTABLES -t mangle -A PREROUTING -p TCP -i $LAN_IFACE -s
> $FTPSERVER/32 --sport 21 -d 0/0 -j MARK --set-mark 1
> $IPTABLES -t mangle -A PREROUTING -p TCP -i $LAN_IFACE -s
> $FTPSERVER/32 --sport 20 -d 0/0 -j MARK --set-mark 1
>
>
> (mark 1 send the ftp traffic through the higher bandwitch interface
> INET_IFACE_DIN)
>
> i tried to connect over the internet, while running tcpdump on the
> ftpserver. the server exchange packets with the client, but do not
> stabilish a connection. is there something wrong with the rules?
>
>
>
--
*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-05-20 20:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-05-20 18:47 ftp port forwarding Leonardo Carneiro
2009-05-20 20:30 ` Leonardo Carneiro
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox