[CentOS] vsFTP and shorewall

Sat Sep 29 21:18:34 UTC 2012
Gordon Messmer <yinyang at eburg.com>

On 09/27/2012 01:58 AM, muiz wrote:
> 1. Gateway (FC6)
>    1.1) eth0:  lan static IP:  192.168.1.20
>    1.2) eth1:  external public static IP:  113.89.142.80
>    2.3) Shorewall-3.2.8 is running

This is extremely old, and you are allowing access to SSH and DNS 
services on the firewall itself.  ISC Bind, at least, has security 
problems that should be patched.  I strongly recommend that you upgrade 
this system.

> 3. I want to forward internet access FTP and SSH to FTP Server:
>       3.1)  113.89.142.80: 20   -> 192.168.1.231:20  udp    (FTP)
>       3.2)  113.89.142.80: 21   -> 192.168.1.231:21  tcp     (FTP)
>       3.3)  113.89.142.80: 2222   -> 192.168.1.231:22  tcp  (SSH)

One: FTP doesn't use UDP, regardless of what you see in the services 
file.  You don't need to forward UDP.

Two: Port 20 is used for outbound connections from an active mode FTP 
server.  You don't need to forward port 20 in to your server, ever.

> 4. Shorewall settings:
>      4.1 interfaces
>                #ZONE   INTERFACE       BROADCAST       OPTIONS
>                net     eth1             113.89.142.255 norfc1918,arp_filte
>                lan     eth0            detect          arp_filter
>                ovpn    tun0            -
>               #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Although it doesn't make much difference, you typically don't need to 
specify your broadcast address.

>      4.4 rules
>              #SECTION RELATED
> SECTION NEW
> ACCEPT  all     fw      tcp     ftp               <<< it works for local FTP service (tested)
> ACCEPT  all     fw      udp     ftp              <<< it works for local FTP service
> ACCEPT  all     fw      tcp     2222
> ACCEPT  all     fw      tcp     ssh,domain
> Ping/ACCEPT     net     fw
> ACCEPT  all     fw      tcp     5222
> ACCEPT  all     fw      udp     5222
> ACCEPT:info     all     $FW     tcp     22
> DNAT    net     lan:192.168.1.231      tcp     21
> DNAT    net     lan:192.168.1.231       udp    20
> DNAT    net     lan:192.168.1.231:22       tcp     2222
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Your ACCEPT rules are blocking your DNAT rules.  They're not needed.

I've never actually seen the Ping/ACCEPT syntax before, so I'm going to 
assume that entry is correct.  It doesn't exist in Shorewall 4+.

Your rules should contain only this (assuming you're actually running an 
XMPP server on your firewall):

Ping/ACCEPT	net	fw
ACCEPT:info	all	fw	tcp	22
ACCEPT		all	fw	tcp	domain
ACCEPT		all	fw	udp	domain
ACCEPT		all	fw	tcp	5222
DNAT		net	lan:192.168.1.231	tcp	21
DNAT		net	lan:192.168.1.231:22	tcp	2222