Dear all,
Dear support and users: Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check? I cannot login both SSH 2222 and ftp! Below is my environment: (attachment is shorewall dump)
1. Gateway (FC6) 1.1) eth0: lan static IP: 192.168.1.20 1.2) eth1: external public static IP: 113.89.142.80 2.3) Shorewall-3.2.8 is running
2. FTP Server: (Centos63, iptables and selinux are off) 2.1) eth0: lan static IP: 192.168.1.231 2.2) Open SSH port 22 and FTP port 20, 21 already (tested) 2.3) vsftp.conf : use default settings and it works for internal users
3. I want to forward internet access FTP and SSH to FTP Server: 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP) 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP) 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)
4. Shorewall settings: 4.1 interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 113.89.142.255 norfc1918,arp_filte lan eth0 detect arp_filter ovpn tun0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 4.2 zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 lan ipv4 ovpn ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE 4.3 policy #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL fw all ACCEPT lan net ACCEPT lan fw ACCEPT lan ovpn ACCEPT ovpn lan ACCEPT net all DROP all all REJECT #LAST LINE -- DO NOT REMOVE 4.4 rules #SECTION RELATED SECTION NEW ACCEPT all fw tcp ftp <<< it works for local FTP service (tested) ACCEPT all fw udp ftp <<< it works for local FTP service ACCEPT all fw tcp 2222 ACCEPT all fw tcp ssh,domain Ping/ACCEPT net fw ACCEPT all fw tcp 5222 ACCEPT all fw udp 5222 ACCEPT:info all $FW tcp 22 DNAT net lan:192.168.1.231 tcp 21 DNAT net lan:192.168.1.231 udp 20 DNAT net lan:192.168.1.231:22 tcp 2222 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
5. # cat /proc/sys/net/ipv4/ip_forward 1
6. more /etc/sysconfig/iptables-config IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp"
Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 3 156 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.1.231 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:20 to:192.168.1.231 5 260 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 to:192.168.1.231:22
do you know what's wrong?
Thanks and best regards! Muiz
Am 27.09.2012 um 10:58 schrieb muiz:
Dear support and users: Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check? I cannot login both SSH 2222 and ftp! Below is my environment: (attachment is shorewall dump)
what about the shorewall mailing list?
-- LF
From: muiz muiz@163.com
Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check? I cannot login both SSH 2222 and ftp!
http://www.shorewall.net/FAQ.htm#faq1a
JD
thanks very much. JD I study this FAQ 1a/1b before. but still failed:(
在 2012-09-27 21:51:32,"John Doe" jdmls@yahoo.com 写道:
From: muiz muiz@163.com
Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check? I cannot login both SSH 2222 and ftp!
http://www.shorewall.net/FAQ.htm#faq1a
JD _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 09/27/2012 01:58 AM, muiz wrote:
- Gateway (FC6) 1.1) eth0: lan static IP: 192.168.1.20 1.2) eth1: external public static IP: 113.89.142.80 2.3) Shorewall-3.2.8 is running
This is extremely old, and you are allowing access to SSH and DNS services on the firewall itself. ISC Bind, at least, has security problems that should be patched. I strongly recommend that you upgrade this system.
- I want to forward internet access FTP and SSH to FTP Server: 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP) 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP) 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)
One: FTP doesn't use UDP, regardless of what you see in the services file. You don't need to forward UDP.
Two: Port 20 is used for outbound connections from an active mode FTP server. You don't need to forward port 20 in to your server, ever.
- Shorewall settings: 4.1 interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 113.89.142.255 norfc1918,arp_filte lan eth0 detect arp_filter ovpn tun0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Although it doesn't make much difference, you typically don't need to specify your broadcast address.
4.4 rules #SECTION RELATEDSECTION NEW ACCEPT all fw tcp ftp <<< it works for local FTP service (tested) ACCEPT all fw udp ftp <<< it works for local FTP service ACCEPT all fw tcp 2222 ACCEPT all fw tcp ssh,domain Ping/ACCEPT net fw ACCEPT all fw tcp 5222 ACCEPT all fw udp 5222 ACCEPT:info all $FW tcp 22 DNAT net lan:192.168.1.231 tcp 21 DNAT net lan:192.168.1.231 udp 20 DNAT net lan:192.168.1.231:22 tcp 2222 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Your ACCEPT rules are blocking your DNAT rules. They're not needed.
I've never actually seen the Ping/ACCEPT syntax before, so I'm going to assume that entry is correct. It doesn't exist in Shorewall 4+.
Your rules should contain only this (assuming you're actually running an XMPP server on your firewall):
Ping/ACCEPT net fw ACCEPT:info all fw tcp 22 ACCEPT all fw tcp domain ACCEPT all fw udp domain ACCEPT all fw tcp 5222 DNAT net lan:192.168.1.231 tcp 21 DNAT net lan:192.168.1.231:22 tcp 2222
Thanks very much! I modified the shorewall settings, but still cannot forward those ports.
Now I'm open the port 2121 and 2222 on shorewall, then use "rinetd" to forward TCP request: Gateway 2222 -> 192.168.1.231:22 Gateway 2121 -> 192.168.1.231:21 Gateway 6000 - 6010-> 192.168.1.231:6000 - 6010 Both SSH and FTP works.
I will upgrade the system to CentOS 6.3 next month.
At 2012-09-30 05:18:34,"Gordon Messmer" yinyang@eburg.com wrote:
On 09/27/2012 01:58 AM, muiz wrote:
- Gateway (FC6) 1.1) eth0: lan static IP: 192.168.1.20 1.2) eth1: external public static IP: 113.89.142.80 2.3) Shorewall-3.2.8 is running
This is extremely old, and you are allowing access to SSH and DNS services on the firewall itself. ISC Bind, at least, has security problems that should be patched. I strongly recommend that you upgrade this system.
- I want to forward internet access FTP and SSH to FTP Server: 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP) 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP) 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)
One: FTP doesn't use UDP, regardless of what you see in the services file. You don't need to forward UDP.
Two: Port 20 is used for outbound connections from an active mode FTP server. You don't need to forward port 20 in to your server, ever.
- Shorewall settings: 4.1 interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 113.89.142.255 norfc1918,arp_filte lan eth0 detect arp_filter ovpn tun0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Although it doesn't make much difference, you typically don't need to specify your broadcast address.
4.4 rules #SECTION RELATEDSECTION NEW ACCEPT all fw tcp ftp <<< it works for local FTP service (tested) ACCEPT all fw udp ftp <<< it works for local FTP service ACCEPT all fw tcp 2222 ACCEPT all fw tcp ssh,domain Ping/ACCEPT net fw ACCEPT all fw tcp 5222 ACCEPT all fw udp 5222 ACCEPT:info all $FW tcp 22 DNAT net lan:192.168.1.231 tcp 21 DNAT net lan:192.168.1.231 udp 20 DNAT net lan:192.168.1.231:22 tcp 2222 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Your ACCEPT rules are blocking your DNAT rules. They're not needed.
I've never actually seen the Ping/ACCEPT syntax before, so I'm going to assume that entry is correct. It doesn't exist in Shorewall 4+.
Your rules should contain only this (assuming you're actually running an XMPP server on your firewall):
Ping/ACCEPT net fw ACCEPT:info all fw tcp 22 ACCEPT all fw tcp domain ACCEPT all fw udp domain ACCEPT all fw tcp 5222 DNAT net lan:192.168.1.231 tcp 21 DNAT net lan:192.168.1.231:22 tcp 2222
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Gordon Messmer -
John Doe -
Leon Fauster -
muiz -
muiz@163.com