Find the answer to your Linux question:
Results 1 to 10 of 10
Hello, I'm setting up a public services subnetwork and I need some help with iptables. This is what i manage: Firewall (Debian 4.0r3) with 3 NIC's: eth0 NET, interface "INET", ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    35

    [SOLVED] iptables: local proFTPd server and remote FTP servers access


    Hello,

    I'm setting up a public services subnetwork and I need some help with iptables. This is what i manage:

    Firewall (Debian 4.0r3) with 3 NIC's:

    eth0 NET, interface "INET", subnet 192.168.3.0/24, connected to a DSL router pointed by a public static IP address.
    eth1 DMZ, interface "IDMZ", subnet 192.168.2.0/24, only one machine
    eth2 LOC, interface "ILOC", subnet 192.168.1.0/24 (XLOC)

    The default policy for INPUT, OUTPUT, FORWARD chains (and PRE/POST-ROUTING) is DROP.

    The firewall masquerades all that comes from LOC and DMZ subnets going to the Internet. The module ip_conntrack_ftp is loaded. Every outbound connection from LOC works good, but FTP doesn't.

    I'm having problems with a FTP server (proFTPd) serving in the DMZ.

    (1) I want it to be a public server, but I'm not able to access it from the Internet, ruleset

    Code:
    iptables -t nat -A PREROUTING -i $INET -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
    iptables -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to-destination $DMZ:21
    
    iptables -A FORWARD -i $IDMZ -o $INET -p tcp --dport 20:21 -j ACCEPT
    iptables -A FORWARD -i $INET -o $IDMZ -p tcp --sport 20:21 -j ACCEPT
    the server seems to respond remotely, but cannot login succesfully. I've configured proftpd.conf like this example (HOWTO : Create a FTP server with user access (proftpd) - Ubuntu Forums) but without aliases, syslog.log says that I must check the ServerType directive (standalone) and that cannot bind to 0.0.0.0:21 (addr already in use)

    (2) I want it to be accessible from the local network, ruleset

    Code:
    iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
    iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 21 -j DNAT --to-destination $DMZ:21
    
    iptables -A FORWARD -s $XLOC -d $DMZ -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s $DMZ -d $XLOC -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    but the firewall stops the connection

    (3) Apart from my server, I want to access remote FTP servers from the LAN, ruleset

    Code:
    iptables -A FORWARD -i $ILOC -o $INET -p tcp --dport 20:21 -j ACCEPT
    iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 20:21 -j ACCEPT
    
    iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 1024:65535 -j ACCEPT
    iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
    but i can only do it in passive mode, how to enable active mode?

    thanks for the help...

  2. #2
    Just Joined! wildpossum's Avatar
    Join Date
    Apr 2008
    Location
    Sydney/Australia
    Posts
    92
    A>. You probably need to edit your /etc/hosts.allow, /etc/host.deny files correctly.

    B>. Check that the service is listening by using as root, "netstat -a" and looking for the ftp service listening for any input on port 20 & 21.

    C>. Then you should check that indeed you can initiate a service by using telnet i.e.: "telnet localhost:ftp".

    Once you get this far, you should be able to use the ftp service.

  3. #3
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    35
    I have edited /etc/hosts.allow, adding

    Code:
    ALL: ALL
    Yes, ftp service, as netstat -a states, is listening (local address *:ftp, foreign address *:*, this is ok). When telnetting, the DMZ system cannot resolve localhost:ftp/telnet, name or service not known. Apart, the DMZ does not respond to transmissions from the lan.

    iptraf listening to firewall LAN iface sees the incoming connection, but listening to DMZ interface I see nothing, and consequently DMZ does nothing, ftptop tells nothing...

    Do I have to masquerade the IP when crossing from the local network to the DMZ network?

    Must I allow something specific in the firewall?

    I have monitored the same mechanism but now with a HTTP service (apache2), programming iptables exactly as the FTP service but using port 80, and I'm again unable to connect to the DMZ from the LAN.

    thanks wildpossum

  4. #4
    Just Joined!
    Join Date
    Apr 2008
    Posts
    5
    Hey there

    In your proftpd.conf, have you tried setting:

    MasqueradeAddress ftp.wherever.testing.com
    PassivePorts 65000 65333

  5. #5
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    35
    Making a more permissive ruleset by the moment allows the connections...

    I configured a similar range of passive ports.

    Should I put the private IP of the DMZ in MasqueradeAddress since its IP is private?

    Or the public IP of the external gateway/router?

    ftptop on the DMZ says that the FTP server is 192.168.1.1:21, this IP belongs to the LAN interface of the firewall! Is this correct?

    thank you

  6. #6
    Just Joined!
    Join Date
    Apr 2008
    Posts
    5
    Masquerade the public address.

  7. #7
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    35
    Ok, masquerading!

    The access to the DMZ ports http & ftp from the LAN works very good, now I must forward the ports from the external router (192.168.3.1), configuring, as it states, the "virtual servers".

    The firewall (NET: 192.168.3.2, LOC: 192.168.1.1, DMZ: 192.168.2.1) is configured to forward the packets that enter the NET iface:

    Code:
    iptables -t -nat -A PREROUTING -i $INET -p tcp --dport 80 -j DNAT --to-destination $DMZ:80
    (followed by the rule forwarding the ftp service)

    I've tried almost every combination. Either launching the ports 80 and 21 to the DMZ (192.168.2.2) or launcing them to the NET iface of the firewall does not work from the internet. Remotely, it seems as if there where no servers (reaching timeouts). I have a static IP.

    I think the problem is in the external DSL router redirection, the monitoring software running in the firewall show no incoming packets when I try to open a remote connection. It is a Comtrend CT-5071.

    The CT-5071 also allows defining the DMZ host for redirecting the packets that do not belong to any of the protocols stated in the virtual servers list, but this option makes no difference.

    What am I missing?

  8. #8
    Just Joined!
    Join Date
    Apr 2008
    Posts
    5
    Tricky. When you are modifying everything, you're behind the LAN right? If so, your DSL router has nothing to do with it, and you can configure accordingly.

    However, if you are outside the local net and attempt to access a webserver behind a router, you should first of all look to your ISP and DSL router. Ask your ISP if they are blocking any ports, and if so, if they can open up the requested ports for you.

    Your Iptables rule is correct.

  9. #9
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    35
    Solved, rszabo. I had to redirect all packet to the FW instead of the DMZ.

    New discussion:

    http://www.linuxforums.org/forum/ser...-problems.html

  10. #10
    Just Joined!
    Join Date
    Apr 2008
    Posts
    5
    Oh, I thought you had the FTP server within the DMZ. And I also thought that your firewall code was written on the FW.

    Atleast it works, cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •