ftp/scp port forwarding

Marius Andreiana mandreiana at rdslink.ro
Tue Jun 29 06:38:14 UTC 2004 

Ola

I'm trying to setup port forwarding for ftp and scp (ssh) from internet
to an internal host.
For http it works fine, both http and https.
I've added these rules to /etc/sysconfig/iptables on router (using FC2):

#pluto port fwd
*nat
:PREROUTING ACCEPT [13:704]
:POSTROUTING ACCEPT [17:1950]
:OUTPUT ACCEPT [16:1890]
#-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 8080 -j DNAT --to-
destination 192.168.0.11:80
-A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 8443 -j DNAT --to-
destination 192.168.0.11:443
-A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 20 -j DNAT --to-
destination 192.168.0.11:20
-A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 21 -j DNAT --to-
destination 192.168.0.11:21
-A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 8022 -j DNAT --to-
destination 192.168.0.11:22
-A PREROUTING -d 81.196.83.211 -i eth0 -p udp --dport 21 -j DNAT --to-
destination 192.168.0.11:21
-A PREROUTING -d 81.196.83.211 -i eth0 -p udp --dport 8022 -j DNAT --to-
destination 192.168.0.11:22
-A PREROUTING -j LOG
#SNAT shouldn't be needed, connections are only from outside
-A POSTROUTING -p tcp -d 81.196.83.211 --dport 21 -j SNAT --to-source
192.168.0.11
-A POSTROUTING -p tcp -d 81.196.83.211 --dport 20 -j SNAT --to-source
192.168.0.11
-A POSTROUTING -p udp -d 81.196.83.211 --dport 21 -j SNAT --to-source
192.168.0.11
-A POSTROUTING -p udp -d 81.196.83.211 --dport 20 -j SNAT --to-source
192.168.0.11
COMMIT

*filter
:INPUT ACCEPT [374:118200]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [385:44104]
...
#pluto port fwd
-A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 443 -j ACCEPT
-A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 21 -j ACCEPT
-A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 20 -j ACCEPT
-A FORWARD -p udp -d 192.168.0.11 -i eth0 --dport 21 -j ACCEPT
-A FORWARD -p udp -d 192.168.0.11 -i eth0 --dport 20 -j ACCEPT
-A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 22 -j ACCEPT
-A FORWARD -j LOG


Using ncftp client from outside, one can login but on ls it gives
ncftp / > ls
[delay]
List failed.
ncftp / > passive
passive                        on
ncftp / > ls
connect failed: Network is unreachable.
List failed.

FTP from internal net works fine.
Blocking is commented out temporarily.
/proc/sys/net/ipv4/ip_forward is 1

Log gives
Jun 29 09:32:16 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=123 TOS=0x00 PREC=0x00 TTL=63 ID=15667 DF
PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Jun 29 09:32:16 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=124 TOS=0x00 PREC=0x00 TTL=63 ID=15668 DF
PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Jun 29 09:32:17 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=150 TOS=0x00 PREC=0x00 TTL=63 ID=15669 DF
PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Jun 29 09:32:17 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=74 TOS=0x00 PREC=0x00 TTL=63 ID=15670 DF
PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Jun 29 09:32:18 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=103 TOS=0x00 PREC=0x00 TTL=63 ID=15671 DF
PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Jun 29 09:32:18 marte kernel: IN=eth1 OUT= MAC=00:20:
ed:9f:3b:7f:00:48:54:1e:76:47:08:00 SRC=192.168.0.11 DST=207.197.204.138
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59805 DF PROTO=TCP SPT=20 DPT=33978
WINDOW=5840 RES=0x00 SYN URGP=0
Jun 29 09:32:18 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59805 DF
PROTO=TCP SPT=20 DPT=33978 WINDOW=5840 RES=0x00 SYN URGP=0
Jun 29 09:32:18 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=15672 DF
PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK URGP=0
Jun 29 09:32:21 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=89 TOS=0x00 PREC=0x00 TTL=63 ID=23271 DF
PROTO=TCP SPT=21 DPT=33972 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Jun 29 09:32:21 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59806 DF
PROTO=TCP SPT=20 DPT=33978 WINDOW=5840 RES=0x00 SYN URGP=0
 
 
 
Jun 29 09:32:27 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59807 DF
PROTO=TCP SPT=20 DPT=33978 WINDOW=5840 RES=0x00 SYN URGP=0
Jun 29 09:32:29 marte kernel: IN=eth0 OUT= MAC=00:c0:26:88:
f7:85:00:04:76:9e:16:e0:08:00 SRC=208.245.212.67 DST=81.196.83.211
LEN=53 TOS=0x00 PREC=0x00 TTL=50 ID=22863 DF PROTO=TCP SPT=5222
DPT=32817 WINDOW=8940 RES=0x00 ACK PSH URGP=0
 
 
Jun 29 09:32:33 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=89 TOS=0x00 PREC=0x00 TTL=63 ID=23272 DF
PROTO=TCP SPT=21 DPT=33972 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Jun 29 09:32:39 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
DST=207.197.204.138 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59808 DF
PROTO=TCP SPT=20 DPT=33978 WINDOW=5840 RES=0x00 SYN URGP=0

Any suggestions appreciated, don't know what else to do.
Thanks!
-- 
Marius Andreiana
Galuna - Solutii Linux in Romania
http://www.galuna.ro

More information about the fedora-list mailing list