[CentOS] vsFTP and shorewall

Sun Sep 30 14:26:31 UTC 2012
muiz <muiz at 163.com>

Thanks very much!
I modified the shorewall settings, but still cannot forward those ports.

Now I'm open the port 2121 and 2222 on shorewall, then use "rinetd" to forward TCP request:
Gateway 2222 ->  192.168.1.231:22
Gateway 2121 ->  192.168.1.231:21
Gateway 6000 - 6010->  192.168.1.231:6000 - 6010
Both SSH and FTP works.

I will upgrade the system to CentOS 6.3 next month.


At 2012-09-30 05:18:34,"Gordon Messmer" <yinyang at eburg.com> wrote:
>On 09/27/2012 01:58 AM, muiz wrote:
>> 1. Gateway (FC6)
>>    1.1) eth0:  lan static IP:  192.168.1.20
>>    1.2) eth1:  external public static IP:  113.89.142.80
>>    2.3) Shorewall-3.2.8 is running
>
>This is extremely old, and you are allowing access to SSH and DNS 
>services on the firewall itself.  ISC Bind, at least, has security 
>problems that should be patched.  I strongly recommend that you upgrade 
>this system.
>
>> 3. I want to forward internet access FTP and SSH to FTP Server:
>>       3.1)  113.89.142.80: 20   -> 192.168.1.231:20  udp    (FTP)
>>       3.2)  113.89.142.80: 21   -> 192.168.1.231:21  tcp     (FTP)
>>       3.3)  113.89.142.80: 2222   -> 192.168.1.231:22  tcp  (SSH)
>
>One: FTP doesn't use UDP, regardless of what you see in the services 
>file.  You don't need to forward UDP.
>
>Two: Port 20 is used for outbound connections from an active mode FTP 
>server.  You don't need to forward port 20 in to your server, ever.
>
>> 4. Shorewall settings:
>>      4.1 interfaces
>>                #ZONE   INTERFACE       BROADCAST       OPTIONS
>>                net     eth1             113.89.142.255 norfc1918,arp_filte
>>                lan     eth0            detect          arp_filter
>>                ovpn    tun0            -
>>               #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>Although it doesn't make much difference, you typically don't need to 
>specify your broadcast address.
>
>>      4.4 rules
>>              #SECTION RELATED
>> SECTION NEW
>> ACCEPT  all     fw      tcp     ftp               <<< it works for local FTP service (tested)
>> ACCEPT  all     fw      udp     ftp              <<< it works for local FTP service
>> ACCEPT  all     fw      tcp     2222
>> ACCEPT  all     fw      tcp     ssh,domain
>> Ping/ACCEPT     net     fw
>> ACCEPT  all     fw      tcp     5222
>> ACCEPT  all     fw      udp     5222
>> ACCEPT:info     all     $FW     tcp     22
>> DNAT    net     lan:192.168.1.231      tcp     21
>> DNAT    net     lan:192.168.1.231       udp    20
>> DNAT    net     lan:192.168.1.231:22       tcp     2222
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>Your ACCEPT rules are blocking your DNAT rules.  They're not needed.
>
>I've never actually seen the Ping/ACCEPT syntax before, so I'm going to 
>assume that entry is correct.  It doesn't exist in Shorewall 4+.
>
>Your rules should contain only this (assuming you're actually running an 
>XMPP server on your firewall):
>
>Ping/ACCEPT	net	fw
>ACCEPT:info	all	fw	tcp	22
>ACCEPT		all	fw	tcp	domain
>ACCEPT		all	fw	udp	domain
>ACCEPT		all	fw	tcp	5222
>DNAT		net	lan:192.168.1.231	tcp	21
>DNAT		net	lan:192.168.1.231:22	tcp	2222
>
>_______________________________________________
>CentOS mailing list
>CentOS at centos.org
>http://lists.centos.org/mailman/listinfo/centos