Iptables works for port 3389 but not for 21

**ganesh_1975** · 08-12-2009

I am totally noob to IPTABLEs and know little bit of linux

but after help from this forum and reading some tutorials, documents & samples, some how i had managed to create a firewall script.

I am using Ubuntu 8.10 as detailed below,

UFW disabled

3 Nics

one for wan - 192.168.0.0/24 - eth0

one for lan1 - 192.168.1.0/24 - eth1

one for lan2 - 192.168.111.0/24 - eth2

the Following ports are opened in

1.) Firewall - 22 - so that we can access from wan

2.) 192.168.0.45 - eth1 - 3389 - port forwarded - so that we can access from wan

3.) 192.168.111.45 - eth2 - 3389 - forwarded - so that we can access from lan1 to lan2

4.) 192.168.111.45 - eth2 - 21 - forwarded - so that we can access from lan1 to lan2

PROBLEM

The problem is we could use the RDP port - 3389 from 192.168.1.45 without any problem

BUT, we could not use the FTP - port 21 from 192.168.1.45

i could esatablish a connection to the ftp server
could able to login using user name and password
BUT could not access the list or get or put commands

I had given below my script,

Code:

iptables -A FORWARD -j LOG --log-prefix "FORWARD: "

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p all -s localhost  -i eth0 -j DROP


iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 --sport 1024:65535 -j DNAT --to-dest 192.168.1.45:3389
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.45 --dport 3389 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


iptables -I FORWARD -s 192.168.1.45 -d 192.168.111.45 -p tcp --dport 3389 --sport 1024:65535  -j ACCEPT
iptables -I FORWARD -s 192.168.1.45 -d 192.168.111.45 -p tcp --dport 21 --sport 1024:65535  -j ACCEPT
iptables -I FORWARD -s 192.168.1.45 -d 192.168.111.45 -p tcp --dport 20 --sport 1024:65535  -j ACCEPT

iptables -A FORWARD -t filter -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT

and here are my logs,

Code:

Aug 12 11:27:17 server kernel: [ 4624.655260] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=876 PROTO=TCP SPT=21 DPT=1060 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Aug 12 11:27:17 server kernel: [ 4624.667713] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=67 TOS=0x00 PREC=0x00 TTL=127 ID=877 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:17 server kernel: [ 4624.793856] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=66 TOS=0x00 PREC=0x00 TTL=127 ID=878 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:23 server kernel: [ 4630.625610] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=82 TOS=0x00 PREC=0x00 TTL=127 ID=879 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65515 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:26 server kernel: [ 4632.876124] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=880 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65502 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:26 server kernel: [ 4633.106083] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=75 TOS=0x00 PREC=0x00 TTL=127 ID=881 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65502 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:28 server kernel: [ 4635.034843] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=882 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65478 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:28 server kernel: [ 4635.045859] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=93 TOS=0x00 PREC=0x00 TTL=127 ID=883 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65472 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:28 server kernel: [ 4635.050796] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=884 DF PROTO=TCP SPT=20 DPT=1062 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 12 11:27:31 server kernel: [ 4637.922333] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=885 DF PROTO=TCP SPT=20 DPT=1062 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 12 11:27:37 server kernel: [ 4643.935766] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=886 DF PROTO=TCP SPT=20 DPT=1062 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 12 11:27:49 server kernel: [ 4655.971088] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=887 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65472 RES=0x00 ACK PSH URGP=0

Kindly help me to identify and fix this problem,

Thanking you all.

Thanks / S Ganesh.

please refer to my prior post on IPTABLES

help on 1 wan and 2 lans in this forum

**robertdaleweir** · 08-26-2009

Originally Posted by ganesh_1975

I am totally noob to IPTABLEs and know little bit of linux

but after help from this forum and reading some tutorials, documents & samples, some how i had managed to create a firewall script.

I am using Ubuntu 8.10 as detailed below,

UFW disabled

3 Nics

one for wan - 192.168.0.0/24 - eth0

one for lan1 - 192.168.1.0/24 - eth1

one for lan2 - 192.168.111.0/24 - eth2

the Following ports are opened in

1.) Firewall - 22 - so that we can access from wan

2.) 192.168.0.45 - eth1 - 3389 - port forwarded - so that we can access from wan

3.) 192.168.111.45 - eth2 - 3389 - forwarded - so that we can access from lan1 to lan2

4.) 192.168.111.45 - eth2 - 21 - forwarded - so that we can access from lan1 to lan2

PROBLEM

The problem is we could use the RDP port - 3389 from 192.168.1.45 without any problem

BUT, we could not use the FTP - port 21 from 192.168.1.45

i could esatablish a connection to the ftp server
could able to login using user name and password
BUT could not access the list or get or put commands

I had given below my script,

Code:

iptables -A FORWARD -j LOG --log-prefix "FORWARD: "

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p all -s localhost  -i eth0 -j DROP


iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 --sport 1024:65535 -j DNAT --to-dest 192.168.1.45:3389
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.45 --dport 3389 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


iptables -I FORWARD -s 192.168.1.45 -d 192.168.111.45 -p tcp --dport 3389 --sport 1024:65535  -j ACCEPT
iptables -I FORWARD -s 192.168.1.45 -d 192.168.111.45 -p tcp --dport 21 --sport 1024:65535  -j ACCEPT
iptables -I FORWARD -s 192.168.1.45 -d 192.168.111.45 -p tcp --dport 20 --sport 1024:65535  -j ACCEPT

iptables -A FORWARD -t filter -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT

and here are my logs,

Code:

Aug 12 11:27:17 server kernel: [ 4624.655260] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=876 PROTO=TCP SPT=21 DPT=1060 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Aug 12 11:27:17 server kernel: [ 4624.667713] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=67 TOS=0x00 PREC=0x00 TTL=127 ID=877 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:17 server kernel: [ 4624.793856] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=66 TOS=0x00 PREC=0x00 TTL=127 ID=878 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:23 server kernel: [ 4630.625610] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=82 TOS=0x00 PREC=0x00 TTL=127 ID=879 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65515 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:26 server kernel: [ 4632.876124] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=880 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65502 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:26 server kernel: [ 4633.106083] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=75 TOS=0x00 PREC=0x00 TTL=127 ID=881 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65502 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:28 server kernel: [ 4635.034843] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=882 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65478 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:28 server kernel: [ 4635.045859] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=93 TOS=0x00 PREC=0x00 TTL=127 ID=883 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65472 RES=0x00 ACK PSH URGP=0
Aug 12 11:27:28 server kernel: [ 4635.050796] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=884 DF PROTO=TCP SPT=20 DPT=1062 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 12 11:27:31 server kernel: [ 4637.922333] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=885 DF PROTO=TCP SPT=20 DPT=1062 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 12 11:27:37 server kernel: [ 4643.935766] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=886 DF PROTO=TCP SPT=20 DPT=1062 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 12 11:27:49 server kernel: [ 4655.971088] FORWARD: IN=eth2 OUT=eth1 SRC=192.168.111.45 DST=192.168.1.45 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=887 DF PROTO=TCP SPT=21 DPT=1060 WINDOW=65472 RES=0x00 ACK PSH URGP=0

Kindly help me to identify and fix this problem,

Thanking you all.

Thanks / S Ganesh.

please refer to my prior post on IPTABLES

help on 1 wan and 2 lans in this forum

Hi
I was looking at your code and wondering why you have issued this line in your script. --->
iptables -I FORWARD -s 192.168.1.45 -d 192.168.111.45 -p tcp --dport 20 --sport 1024:65535 -j ACCEPT

Why are you referencing dport20 and not dport22? Not sure if this helps but I just noticed that you have not mentioned port 20 in your preface but you did mention port 22. Possibly no help.
Cheers...
Robert

**Lazydog** · 08-26-2009

Originally Posted by ganesh_1975

i could esatablish a connection to the ftp server
could able to login using user name and password
BUT could not access the list or get or put commands

FTP uses 2 ports 21 for the connection and 20 for the Data.
Make sure you are loading the connection tracker

/sbin/modprobe ip_conntrack_ftp

Thread Tools

Display

Iptables works for port 3389 but not for 21

Posting Permissions