Hi all,
I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp.
the theroy behind passive ftp is ,
- FTP server's port 21 from anywhere ( Client initiates connection) - FTP server's port 21 to ports > 1024 (Server responds to client's control port) - FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) - FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
Then, How can I write DNAT rules.
pls assume 1.2.3.4 is the ip of the internert interface.
#DNAT from Internet to the box running VSFTP @ 192.168.100.3 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3
And also #connect to below ip (actual destination ip) with below ports,due to DNATing
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT
R u okay with the above 4 rules ?
If WRONG, pls write down your rules. I am going to put this vsftp server in to PRODUCTION USE.
Pls also make sure , my firewall has below rules such as DROP, ESTABLISHED,RELATED.
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
YOUR comments.
On 10/5/07, Feizhou feizhou@graffiti.net wrote:
Indunil Jayasooriya wrote:
Hi all,
I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp.
Do you have ip_nat_ftp loaded too?
YES, both ip_conntrack_ftp and ip_nat_ftp. pls see below
#Enable tracking mechanism /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp
_______________________________________________
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Indunil Jayasooriya wrote:
Hi all,
I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp.
the theroy behind passive ftp is ,
except, passive vs active is the choice the CLIENT not the server. the only way to properly handle both modes is to parse the FTP commands on the control port (21) and setup/teardown port forwards on dynamic ports as needed.
if you use the ip_nat_ftp module, this is all taken care of automatically and both transfer modes should work, you'll simply need to forward the control port.
On 10/5/07, John R Pierce pierce@hogranch.com wrote:
Indunil Jayasooriya wrote:
Hi all,
I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp.
the theroy behind passive ftp is ,
except, passive vs active is the choice the CLIENT not the server. the only way to properly handle both modes is to parse the FTP commands on the control port (21) and setup/teardown port forwards on dynamic ports as needed.
if you use the ip_nat_ftp module, this is all taken care of automatically and both transfer modes should work, you'll simply need to forward the control port.
Thanks, That means below 2 rules will be enough.
ptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT
Am I right?
_______________________________________________
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Feizhou -
Indunil Jayasooriya -
John R Pierce