[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ftp/scp port forwarding



Seems to me like you're running an http/https/ftp server behind NAT, and
you want to make it visible to the outside, correct?

http/https are not a problem in this scenario.

ftp on the other hand... well, for a "dumb" NAT-ing firewall, if the
data port is not set to 20 during the session, your forwarding rules
will not apply.

But Linux is not dumb, iptables knows the FTP protocol and it can do
smart things.

Make sure you're loading the ip_nat* and ip_conntrack* modules on the
firewall. I believe it's enough to load them and only forward the
command channel (port 21); the purpose of the ip_nat_ftp module is to
figure out the parameters for the data channel and mangle the packets on
the fly.

Edit /etc/sysconfig/iptables-config and add:

IPTABLES_MODULES="ip_nat_ftp"

Or (less elegantly) "modprobe ip_nat_ftp" in rc.local

That should be enough. Or so i hope.

If that doesn't help, have a look at Pure-FTPd, it has config options
for exactly this scenario.
More specifically, you can try -P to specify the public IP address (your
ftp server has no clue what's the public IP address, hence it doesn't
know what address to return in passive mode).
Or use -N to force active mode.

http://www.pureftpd.org/

On Mon, 2004-06-28 at 23:38, Marius Andreiana wrote:
> Ola
> 
> I'm trying to setup port forwarding for ftp and scp (ssh) from internet
> to an internal host.
> For http it works fine, both http and https.
> I've added these rules to /etc/sysconfig/iptables on router (using FC2):
> 
> #pluto port fwd
> *nat
> :PREROUTING ACCEPT [13:704]
> :POSTROUTING ACCEPT [17:1950]
> :OUTPUT ACCEPT [16:1890]
> #-A POSTROUTING -o eth0 -j MASQUERADE
> -A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 8080 -j DNAT --to-
> destination 192.168.0.11:80
> -A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 8443 -j DNAT --to-
> destination 192.168.0.11:443
> -A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 20 -j DNAT --to-
> destination 192.168.0.11:20
> -A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 21 -j DNAT --to-
> destination 192.168.0.11:21
> -A PREROUTING -d 81.196.83.211 -i eth0 -p tcp --dport 8022 -j DNAT --to-
> destination 192.168.0.11:22
> -A PREROUTING -d 81.196.83.211 -i eth0 -p udp --dport 21 -j DNAT --to-
> destination 192.168.0.11:21
> -A PREROUTING -d 81.196.83.211 -i eth0 -p udp --dport 8022 -j DNAT --to-
> destination 192.168.0.11:22
> -A PREROUTING -j LOG
> #SNAT shouldn't be needed, connections are only from outside
> -A POSTROUTING -p tcp -d 81.196.83.211 --dport 21 -j SNAT --to-source
> 192.168.0.11
> -A POSTROUTING -p tcp -d 81.196.83.211 --dport 20 -j SNAT --to-source
> 192.168.0.11
> -A POSTROUTING -p udp -d 81.196.83.211 --dport 21 -j SNAT --to-source
> 192.168.0.11
> -A POSTROUTING -p udp -d 81.196.83.211 --dport 20 -j SNAT --to-source
> 192.168.0.11
> COMMIT
> 
> *filter
> :INPUT ACCEPT [374:118200]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [385:44104]
> ...
> #pluto port fwd
> -A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 80 -j ACCEPT
> -A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 443 -j ACCEPT
> -A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 21 -j ACCEPT
> -A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 20 -j ACCEPT
> -A FORWARD -p udp -d 192.168.0.11 -i eth0 --dport 21 -j ACCEPT
> -A FORWARD -p udp -d 192.168.0.11 -i eth0 --dport 20 -j ACCEPT
> -A FORWARD -p tcp -d 192.168.0.11 -i eth0 --dport 22 -j ACCEPT
> -A FORWARD -j LOG
> 
> 
> Using ncftp client from outside, one can login but on ls it gives
> ncftp / > ls
> [delay]
> List failed.
> ncftp / > passive
> passive                        on
> ncftp / > ls
> connect failed: Network is unreachable.
> List failed.
> 
> FTP from internal net works fine.
> Blocking is commented out temporarily.
> /proc/sys/net/ipv4/ip_forward is 1
> 
> Log gives
> Jun 29 09:32:16 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=123 TOS=0x00 PREC=0x00 TTL=63 ID=15667 DF
> PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
> Jun 29 09:32:16 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=124 TOS=0x00 PREC=0x00 TTL=63 ID=15668 DF
> PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
> Jun 29 09:32:17 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=150 TOS=0x00 PREC=0x00 TTL=63 ID=15669 DF
> PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
> Jun 29 09:32:17 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=74 TOS=0x00 PREC=0x00 TTL=63 ID=15670 DF
> PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
> Jun 29 09:32:18 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=103 TOS=0x00 PREC=0x00 TTL=63 ID=15671 DF
> PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK PSH URGP=0
> Jun 29 09:32:18 marte kernel: IN=eth1 OUT= MAC=00:20:
> ed:9f:3b:7f:00:48:54:1e:76:47:08:00 SRC=192.168.0.11 DST=207.197.204.138
> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59805 DF PROTO=TCP SPT=20 DPT=33978
> WINDOW=5840 RES=0x00 SYN URGP=0
> Jun 29 09:32:18 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59805 DF
> PROTO=TCP SPT=20 DPT=33978 WINDOW=5840 RES=0x00 SYN URGP=0
> Jun 29 09:32:18 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=15672 DF
> PROTO=TCP SPT=21 DPT=33977 WINDOW=5792 RES=0x00 ACK URGP=0
> Jun 29 09:32:21 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=89 TOS=0x00 PREC=0x00 TTL=63 ID=23271 DF
> PROTO=TCP SPT=21 DPT=33972 WINDOW=5792 RES=0x00 ACK PSH URGP=0
> Jun 29 09:32:21 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59806 DF
> PROTO=TCP SPT=20 DPT=33978 WINDOW=5840 RES=0x00 SYN URGP=0
>  
> 
> 
> Jun 29 09:32:27 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59807 DF
> PROTO=TCP SPT=20 DPT=33978 WINDOW=5840 RES=0x00 SYN URGP=0
> Jun 29 09:32:29 marte kernel: IN=eth0 OUT= MAC=00:c0:26:88:
> f7:85:00:04:76:9e:16:e0:08:00 SRC=208.245.212.67 DST=81.196.83.211
> LEN=53 TOS=0x00 PREC=0x00 TTL=50 ID=22863 DF PROTO=TCP SPT=5222
> DPT=32817 WINDOW=8940 RES=0x00 ACK PSH URGP=0
>  
> 
> Jun 29 09:32:33 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=89 TOS=0x00 PREC=0x00 TTL=63 ID=23272 DF
> PROTO=TCP SPT=21 DPT=33972 WINDOW=5792 RES=0x00 ACK PSH URGP=0
> Jun 29 09:32:39 marte kernel: IN=eth1 OUT=eth0 SRC=192.168.0.11
> DST=207.197.204.138 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59808 DF
> PROTO=TCP SPT=20 DPT=33978 WINDOW=5840 RES=0x00 SYN URGP=0
> 
> Any suggestions appreciated, don't know what else to do.
> Thanks!
> -- 
> Marius Andreiana
> Galuna - Solutii Linux in Romania
> http://www.galuna.ro
-- 
Florin Andrei

http://florin.myip.org/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]