vsftpd on Lenny behind iptables & NAT

[iconolizer]

I wasn't sure if this is the correct forum but I'm a Linux noob.

I think I have vsftpd set up mostly right. It works inside my lan and if I have it on the DMZ it'll connect over the internet.

I want to run vsftpd behind the firewall. Previously I had successfully set up FileZilla on a windows box.

I have a DLink di-624 on which I forwarded port 10000 to 21 to my servers ip.

Any help would be greatly appreciated.



vsftpd.conf

Code:

#/etc/vsftpd.conf  <-------main configuration file for vsftpd

# allow local users to log in.
local_enable=YES

# login banner string
ftpd_banner=Welcome to my FTP service

# enable for standalone mode
listen=YES

#honours ascii requests, otherwise only binary
ascii_download_enable=YES
ascii_upload_enable=YES

#
pasv_address=24.188.184.55

###########################         security            ########################
# authentication service
pam_service_name=vsftpd

#max # of connections per ip
max_per_ip=3

#an exclusionary list of commands allowed, seperated bye comma. eg PASV,RETR,QUIT 
#cmds_allowed

#takes precedence. these cmds are denied.
#cmds_denied
#################################################################################


############################          ssl           ##############################
#allows ssl. note sslv1 are prefered
#ssl_enable=YES

#allows sslv2
#ssl_sslv2=YES

#allows sslv3
#ssl_sslv3=YES

#allows anonymous ssl. needs ssl_enable=YES
#allow_anon_ssl=YES
################################################################################


###############              anonymous settings             #####################
#disallow anonymous ftp access
anonymous_enable=YES

#home dir for anonymous login, chroot
#anon_root=/home/ftp

#name used to handle anonymous login. default is ftp
ftp_username=ftp

#allows anonymous to upload files. needs write_enable=YES
anon_upload_enable=YES

#allows anonymous to make dir. needs write_enable=YES
anon_mkdir_write_enable=YES

#when enabled, anonymous can only download world readable files
anon_world_readable_only=NO

#email_password_file is used for anonymous passwords. /etc/vsftpd.email_passwords 
secure_email_list_enable=NO

#all files uploaded anonymously are owned by chown_username
chown_uploads=YES
chown_username=zeb
#################################################################################


###################          PORTS                 #############################
# make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES

#if connect_from_port=YES then this specifies PORT originates
ftp_data_port=20

#if in standalone the port which is listened to for connections
listen_port=21

#sets range of ports used for PASV mode; useful when using firewall
pasv_min_port=50000
pasv_max_port=50050
################################################################################


#################              file permissions          ########################
# allow FTP write commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, SITE
write_enable=YES

# disable chmod, default is YES. local users can use SITE CHMOD
chmod_enable=YES

# umask for local users, (022 is used by most other ftpd's)
local_umask=022
#################################################################################


#################                login list                 ######################
#user list. default is /etc/vsftpd.user_list 
userlist_file=/etc/vsftpd.user_list 

#switches the function of userlist_file: if no then only users on the list can log in
#NOTE userlist_deny is only examined if userlist_enable=YES
userlist_deny=NO

# disable user list
userlist_enable=YES
##################################################################################


#######################         chroot jail        #############################
# enable/specifiy list of local users to chroot() to their home directory.
# if chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
chroot_local_user=YES

#empty dir, not writable. used as secure chroot jail. file specific to Debian
secure_chroot_dir=/var/run/vsftpd
#################################################################################

iptables

Code:

# Generated by iptables-save v1.4.2 on Fri Jan 15 18:22:02 2010
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 5901 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 35000 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 10000 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50000:50050 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG  --log-prefix "iptables denied: " --log-level 7 
-A INPUT -j REJECT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jan 15 18:22:02 2010
# Generated by iptables-save v1.4.2 on Fri Jan 15 18:22:02 2010
*mangle
:PREROUTING ACCEPT [1969:280022]
:INPUT ACCEPT [1465:126252]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1395:385306]
:POSTROUTING ACCEPT [1442:394267]
COMMIT
# Completed on Fri Jan 15 18:22:02 2010
# Generated by iptables-save v1.4.2 on Fri Jan 15 18:22:02 2010
*nat
:PREROUTING ACCEPT [618:163538]
:POSTROUTING ACCEPT [18:1558]
:OUTPUT ACCEPT [18:1558]
COMMIT
# Completed on Fri Jan 15 18:22:02 2010

[Lazydog]

The question is how does your network look like?

<internet><iptables><dlink><server>
<internet><dlink><iptbales><server>

Also which device is doing the NATing form the internet?

[iconolizer]

<internet><dlink><iptbales><server>

dlink is.

[Lazydog]

What is the address range for the following:

dlink to firewall
Firewall to server

[iconolizer]

Well.... I changed the entire network last night; everything has changed and is still changing.

I turned my debian box into a dhcp server, and dns, a gateway and router router. my old iptables are in shambles and there's plenty of stuff i did i dont yet fully understand.

this all started with setting up a pxe server.. haha
I think my network will look something like this....

cable modem -> debian box (router, gateway,firewall, dhcp, dns, ftp, webserver, tftp, pxe) -> switch -> lan, file server, dlink-wifi

I have no clue what ill have to do to secure my iptables. there also seems to be different methods of effecting the iptables; my previous method is different than in the tutorial i followed last night.

[Lazydog]

There are many ways to setup firewall rules. You need to find out what works best for you and use that. I break down my firewall into chains and each chain is for an interface. That way if I'm looking to do something on an interface I just need to edit that chain and will not mess up the other chains. when you figure out how you want everything setup let me know and I'll tell you what I know.