[SOLVED] iptables: local proFTPd server and remote FTP servers access

[jordi]

Hello,

I'm setting up a public services subnetwork and I need some help with iptables. This is what i manage:

Firewall (Debian 4.0r3) with 3 NIC's:

eth0 NET, interface "INET", subnet 192.168.3.0/24, connected to a DSL router pointed by a public static IP address.
eth1 DMZ, interface "IDMZ", subnet 192.168.2.0/24, only one machine
eth2 LOC, interface "ILOC", subnet 192.168.1.0/24 (XLOC)

The default policy for INPUT, OUTPUT, FORWARD chains (and PRE/POST-ROUTING) is DROP.

The firewall masquerades all that comes from LOC and DMZ subnets going to the Internet. The module ip_conntrack_ftp is loaded. Every outbound connection from LOC works good, but FTP doesn't.

I'm having problems with a FTP server (proFTPd) serving in the DMZ.

(1) I want it to be a public server, but I'm not able to access it from the Internet, ruleset

Code:

iptables -t nat -A PREROUTING -i $INET -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to-destination $DMZ:21

iptables -A FORWARD -i $IDMZ -o $INET -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INET -o $IDMZ -p tcp --sport 20:21 -j ACCEPT

the server seems to respond remotely, but cannot login succesfully. I've configured proftpd.conf like this example (HOWTO : Create a FTP server with user access (proftpd) - Ubuntu Forums) but without aliases, syslog.log says that I must check the ServerType directive (standalone) and that cannot bind to 0.0.0.0:21 (addr already in use)

(2) I want it to be accessible from the local network, ruleset

Code:

iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 20 -j DNAT --to-destination $DMZ:20
iptables -t nat -A PREROUTING -i $ILOC -p tcp --dport 21 -j DNAT --to-destination $DMZ:21

iptables -A FORWARD -s $XLOC -d $DMZ -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $DMZ -d $XLOC -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

but the firewall stops the connection

(3) Apart from my server, I want to access remote FTP servers from the LAN, ruleset

Code:

iptables -A FORWARD -i $ILOC -o $INET -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 20:21 -j ACCEPT

iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT

but i can only do it in passive mode, how to enable active mode?

thanks for the help...

[wildpossum]

A>. You probably need to edit your /etc/hosts.allow, /etc/host.deny files correctly.

B>. Check that the service is listening by using as root, "netstat -a" and looking for the ftp service listening for any input on port 20 & 21.

C>. Then you should check that indeed you can initiate a service by using telnet i.e.: "telnet localhost:ftp".

Once you get this far, you should be able to use the ftp service.

[jordi]

I have edited /etc/hosts.allow, adding

Code:

ALL: ALL

Yes, ftp service, as netstat -a states, is listening (local address *:ftp, foreign address *:*, this is ok). When telnetting, the DMZ system cannot resolve localhost:ftp/telnet, name or service not known. Apart, the DMZ does not respond to transmissions from the lan.

iptraf listening to firewall LAN iface sees the incoming connection, but listening to DMZ interface I see nothing, and consequently DMZ does nothing, ftptop tells nothing...

Do I have to masquerade the IP when crossing from the local network to the DMZ network?

Must I allow something specific in the firewall?

I have monitored the same mechanism but now with a HTTP service (apache2), programming iptables exactly as the FTP service but using port 80, and I'm again unable to connect to the DMZ from the LAN.

thanks wildpossum

[rszabo]

Hey there

In your proftpd.conf, have you tried setting:

MasqueradeAddress ftp.wherever.testing.com
PassivePorts 65000 65333

[jordi]

Making a more permissive ruleset by the moment allows the connections...

I configured a similar range of passive ports.

Should I put the private IP of the DMZ in MasqueradeAddress since its IP is private?

Or the public IP of the external gateway/router?

ftptop on the DMZ says that the FTP server is 192.168.1.1:21, this IP belongs to the LAN interface of the firewall! Is this correct?

thank you

[rszabo]

Masquerade the public address.

[jordi]

Ok, masquerading!

The access to the DMZ ports http & ftp from the LAN works very good, now I must forward the ports from the external router (192.168.3.1), configuring, as it states, the "virtual servers".

The firewall (NET: 192.168.3.2, LOC: 192.168.1.1, DMZ: 192.168.2.1) is configured to forward the packets that enter the NET iface:

Code:

iptables -t -nat -A PREROUTING -i $INET -p tcp --dport 80 -j DNAT --to-destination $DMZ:80

(followed by the rule forwarding the ftp service)

I've tried almost every combination. Either launching the ports 80 and 21 to the DMZ (192.168.2.2) or launcing them to the NET iface of the firewall does not work from the internet. Remotely, it seems as if there where no servers (reaching timeouts). I have a static IP.

I think the problem is in the external DSL router redirection, the monitoring software running in the firewall show no incoming packets when I try to open a remote connection. It is a Comtrend CT-5071.

The CT-5071 also allows defining the DMZ host for redirecting the packets that do not belong to any of the protocols stated in the virtual servers list, but this option makes no difference.

What am I missing?

[rszabo]

Tricky. When you are modifying everything, you're behind the LAN right? If so, your DSL router has nothing to do with it, and you can configure accordingly.

However, if you are outside the local net and attempt to access a webserver behind a router, you should first of all look to your ISP and DSL router. Ask your ISP if they are blocking any ports, and if so, if they can open up the requested ports for you.

Your Iptables rule is correct.

[jordi]

Solved, rszabo. I had to redirect all packet to the FW instead of the DMZ.

New discussion:

http://www.linuxforums.org/forum/ser...-problems.html

[rszabo]

Oh, I thought you had the FTP server within the DMZ. And I also thought that your firewall code was written on the FW.

Atleast it works, cheers