[CentOS] vsFTP and shorewall
Gordon Messmer
yinyang at eburg.com
Sat Sep 29 21:18:34 UTC 2012
On 09/27/2012 01:58 AM, muiz wrote:
> 1. Gateway (FC6)
> 1.1) eth0: lan static IP: 192.168.1.20
> 1.2) eth1: external public static IP: 113.89.142.80
> 2.3) Shorewall-3.2.8 is running
This is extremely old, and you are allowing access to SSH and DNS
services on the firewall itself. ISC Bind, at least, has security
problems that should be patched. I strongly recommend that you upgrade
this system.
> 3. I want to forward internet access FTP and SSH to FTP Server:
> 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP)
> 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP)
> 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)
One: FTP doesn't use UDP, regardless of what you see in the services
file. You don't need to forward UDP.
Two: Port 20 is used for outbound connections from an active mode FTP
server. You don't need to forward port 20 in to your server, ever.
> 4. Shorewall settings:
> 4.1 interfaces
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth1 113.89.142.255 norfc1918,arp_filte
> lan eth0 detect arp_filter
> ovpn tun0 -
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Although it doesn't make much difference, you typically don't need to
specify your broadcast address.
> 4.4 rules
> #SECTION RELATED
> SECTION NEW
> ACCEPT all fw tcp ftp <<< it works for local FTP service (tested)
> ACCEPT all fw udp ftp <<< it works for local FTP service
> ACCEPT all fw tcp 2222
> ACCEPT all fw tcp ssh,domain
> Ping/ACCEPT net fw
> ACCEPT all fw tcp 5222
> ACCEPT all fw udp 5222
> ACCEPT:info all $FW tcp 22
> DNAT net lan:192.168.1.231 tcp 21
> DNAT net lan:192.168.1.231 udp 20
> DNAT net lan:192.168.1.231:22 tcp 2222
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Your ACCEPT rules are blocking your DNAT rules. They're not needed.
I've never actually seen the Ping/ACCEPT syntax before, so I'm going to
assume that entry is correct. It doesn't exist in Shorewall 4+.
Your rules should contain only this (assuming you're actually running an
XMPP server on your firewall):
Ping/ACCEPT net fw
ACCEPT:info all fw tcp 22
ACCEPT all fw tcp domain
ACCEPT all fw udp domain
ACCEPT all fw tcp 5222
DNAT net lan:192.168.1.231 tcp 21
DNAT net lan:192.168.1.231:22 tcp 2222
More information about the CentOS
mailing list