Find the answer to your Linux question:
Results 1 to 8 of 8
Hi all Hopefully someone can clear up a bit of confusion for me. I have set up a Linux box (RHEL 5.1) so it is sharing an internet connection with ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    jsr
    jsr is offline
    Just Joined!
    Join Date
    Sep 2011
    Posts
    4

    FTP and iptables


    Hi all

    Hopefully someone can clear up a bit of confusion for me. I have set up a Linux box (RHEL 5.1) so it is sharing an internet connection with the rest of the LAN. I did this by:

    1. Set up eth0 - LAN connection with static (10.1.1.x) IP
    2. Set up eth1 - WAN connection with static IP from ISP
    3. Set "net.ipv4.conf.default.forwarding=1" in " /etc/sysctl.conf"
    4. Add "-A POSTROUTING -o eth1 -j SNAT --to-source <WAN IP>" to iptables
    5. Restart network and iptables services


    On my client machines I can now set the gateway to be the internal LAN address of the Linux box, give them a DNS server address and they can all succesfully browse the internet.

    My problem is that the previous set up used ICS on an XP machine where I also had an FTP server (filezilla) set up. Now this machine no longer has the WAN connection and is seeing the internet through the gateway on the Linux machine the FTP ceases to work.

    I suspect it's got something to do with freeing up ports with the correct set of rules in iptables - I have found a bunch of articles on the subject but they all seem to offer different solutions and nothing I've tried has worked. Any help greatly appreciated!

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    There could be a couple of reason that you are seeing this problem

    1. Firewall is blocking incoming port 21 calls.
    2. ip_conntrack_ftp has not been loaded.

    For #1 you need to add a rule that sends the traffic to the server where FTP is on
    For #2 you need to add to /etc/sysconfig/iptables-config the ip_conntrack_ftp under IPTABLES_MODULES=

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    jsr
    jsr is offline
    Just Joined!
    Join Date
    Sep 2011
    Posts
    4
    Thaks for the help Robert! I'm afraid I have been having all kinds of trouble trying to get this working!

    First I modified the IPTABLES_MODULES line of 'iptables-config' to:

    IPTABLES_MODULES="ip_conntrack ip_conntrack_netbios_ns ip_conntrack_ftp"

    The general concensus of pretty much every post I read was that this was a good idea.


    Then I have been trying pretty much every combination of parameters for rules in 'iptables'. The latest I've got is:

    iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.99
    iptables -A FORWARD -d 10.1.1.99 -i eth1 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

    iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source <WAN_IP>

    The last line is just to share the gateway with the rest of the PCs on the LAN. Problem remains - I still can't see the FTP server. I know it's working because I can ftp straight into 10.1.1.99 on a local connection but I just can't seem to forward through the gateway. The LAN IP on the Linux box is 10.1.1.71 and I can ping the FTP server fine. I just can't get it to forward FTP traffic through iptables.

  4. #4
    jsr
    jsr is offline
    Just Joined!
    Join Date
    Sep 2011
    Posts
    4
    The steps seemed to make sense to me:

    -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.99
    -A FORWARD -d 10.1.1.99 -i eth1 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

    If a packet comes in via eth1 (WAN) through port 21 then route it to 10.1.1.99 (FTP IP)
    Allow a packet to be forwarded to 10.1.1.99 through port 21 if it originated from eth1

    I'm not sure if any of it makes sense anymore I've been staring at it for so long! Any help would be a godsend!

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by jsr View Post
    Thaks for the help Robert! I'm afraid I have been having all kinds of trouble trying to get this working!

    First I modified the IPTABLES_MODULES line of 'iptables-config' to:

    IPTABLES_MODULES="ip_conntrack ip_conntrack_netbios_ns ip_conntrack_ftp"

    The general concensus of pretty much every post I read was that this was a good idea.
    And I agree and use the same.

    Then I have been trying pretty much every combination of parameters for rules in 'iptables'. The latest I've got is:

    iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.99
    iptables -A FORWARD -d 10.1.1.99 -i eth1 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

    iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source <WAN_IP>

    The last line is just to share the gateway with the rest of the PCs on the LAN. Problem remains - I still can't see the FTP server. I know it's working because I can ftp straight into 10.1.1.99 on a local connection but I just can't seem to forward through the gateway. The LAN IP on the Linux box is 10.1.1.71 and I can ping the FTP server fine. I just can't get it to forward FTP traffic through iptables.
    Do you have an ESTABLISHED,RELATED rule on your FORWARD chain?

    Also I would change the last rule to:

    Code:
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    Some people question this but here is my thoughts on the topic.

    If you are on a connection that is DHCP (which most home users are on) and for some reason your IP Address changes if you have it hard coded, well everything leaving your system will never make it back as you now have a new IP Address.

    MASQUERADE does the same thing as SNAT but is flexable with changing IP Addresses.


    Quote Originally Posted by jsr View Post
    The steps seemed to make sense to me:

    -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.99
    -A FORWARD -d 10.1.1.99 -i eth1 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

    If a packet comes in via eth1 (WAN) through port 21 then route it to 10.1.1.99 (FTP IP)
    Allow a packet to be forwarded to 10.1.1.99 through port 21 if it originated from eth1

    I'm not sure if any of it makes sense anymore I've been staring at it for so long! Any help would be a godsend!
    As stated above since you are using the NEW you have to ensure you have ESTABLISHED,RELATED rules also so you rules should look like the following:

    Code:
    iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.99
    iptables -A FORWARD -state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -d 10.1.1.99 -i eth1 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    How are things going? Haven't heard anything lately.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    jsr
    jsr is offline
    Just Joined!
    Join Date
    Sep 2011
    Posts
    4
    Hi Robert

    Sorry, I've been kind of tied up with other things going wrong! I'm afraid I'm still stuck. Tried your code:

    iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.99
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -d 10.1.1.99 -i eth1 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

    I had to change the -state ESTABLISHED,RELATED to -m state --state ESTABLISHED,RELATED in order for iptables to accept the rule - I'm really not sure if that was correct either.

    iptables restarts fine. I can browse the internet from any computer on the LAN through the gateway. I can FTP in locally on a 10 address from anywhere on the LAN, including the linux machine. I just can't get at the FTP from outside the LAN (I've tried computers outside of our network and no joy)

    Quick question: As a (dare I say it here...) windows person I would create a batch file for easily stopping, updating and restarting the iptables service. Is this just a case of an ascii file with the right file extension in linux?

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    I would not do that. If you know the port number then I would just open that port. If you don't know the port number then you could asdd a rule that allows everything from the LAN and then remove it.

    Add this line:
    Code:
    iptables -a LAN -j ACCEPT
    Then once the update is finished:
    Code:
    iptables -D -j ACCEPT
    Best thing to do would be to search the web for the ports that windows uses for updates and then allow them.

    When you stop your firewall you are opening up the network to an attack and your PRE and PORT route rules will not work until the firewall is restarted.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •