Hi all, I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp. the theroy behind passive ftp is , - FTP server's port 21 from anywhere ( Client initiates connection) - FTP server's port 21 to ports > 1024 (Server responds to client's control port) - FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) - FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port) Then, How can I write DNAT rules. pls assume 1.2.3.4 is the ip of the internert interface. #DNAT from Internet to the box running VSFTP @ 192.168.100.3 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3 And also #connect to below ip (actual destination ip) with below ports,due to DNATing iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT R u okay with the above 4 rules ? If WRONG, pls write down your rules. I am going to put this vsftp server in to PRODUCTION USE. Pls also make sure , my firewall has below rules such as DROP, ESTABLISHED,RELATED. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT YOUR comments. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071005/2a45de33/attachment-0005.html>
Indunil Jayasooriya wrote:> > Hi all, > > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > passive ftp. >Do you have ip_nat_ftp loaded too?
Indunil Jayasooriya wrote:> > Hi all, > > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > passive ftp. > > the theroy behind passive ftp is , >except, passive vs active is the choice the CLIENT not the server. the only way to properly handle both modes is to parse the FTP commands on the control port (21) and setup/teardown port forwards on dynamic ports as needed. if you use the ip_nat_ftp module, this is all taken care of automatically and both transfer modes should work, you'll simply need to forward the control port.
On 10/5/07, Feizhou <feizhou at graffiti.net> wrote:> > > > Do you have ip_nat_ftp loaded too? > > > > > > YES, both ip_conntrack_ftp and ip_nat_ftp. > > pls see below > > > > #Enable tracking mechanism > > /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp > > Hmm, I think the NEW for port 1024: is not necessary in FORWARD then. > The nat_ftp should handle it and thus make it ESTABLISHED,RELATED and > the ESTABLISHED,RELATED rule should therefore be sufficient. >That meas I do not nedd below rule i FORWARD chain. iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT So below 3 rules will be enough. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3 iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071005/f306a1cb/attachment-0005.html>