Dear all,
Dear support and users:
Sorry to trouble you! I configure the shorewall firewall to forward ftp and
ssh port to another server, but failed. Can you help me check?
I cannot login both SSH 2222 and ftp!
Below is my environment: (attachment is shorewall dump)
1. Gateway (FC6)
1.1) eth0: lan static IP: 192.168.1.20
1.2) eth1: external public static IP: 113.89.142.80
2.3) Shorewall-3.2.8 is running
2. FTP Server: (Centos63, iptables and selinux are off)
2.1) eth0: lan static IP: 192.168.1.231
2.2) Open SSH port 22 and FTP port 20, 21 already (tested)
2.3) vsftp.conf : use default settings and it works for internal users
3. I want to forward internet access FTP and SSH to FTP Server:
3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP)
3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP)
3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)
4. Shorewall settings:
4.1 interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 113.89.142.255 norfc1918,arp_filte
lan eth0 detect arp_filter
ovpn tun0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
4.2 zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS
OPTIONS
fw firewall
net ipv4
lan ipv4
ovpn ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
4.3 policy
#SOURCE DEST POLICY LOG
LIMIT:BURST
# LEVEL
fw all ACCEPT
lan net ACCEPT
lan fw ACCEPT
lan ovpn ACCEPT
ovpn lan ACCEPT
net all DROP
all all REJECT
#LAST LINE -- DO NOT REMOVE
4.4 rules
#SECTION RELATED
SECTION NEW
ACCEPT all fw tcp ftp <<< it works for
local FTP service (tested)
ACCEPT all fw udp ftp <<< it works for local
FTP service
ACCEPT all fw tcp 2222
ACCEPT all fw tcp ssh,domain
Ping/ACCEPT net fw
ACCEPT all fw tcp 5222
ACCEPT all fw udp 5222
ACCEPT:info all $FW tcp 22
DNAT net lan:192.168.1.231 tcp 21
DNAT net lan:192.168.1.231 udp 20
DNAT net lan:192.168.1.231:22 tcp 2222
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
5. # cat /proc/sys/net/ipv4/ip_forward
1
6. more /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp
ip_conntrack_ftp"
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
3 156 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 to:192.168.1.231
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:20 to:192.168.1.231
5 260 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:2222 to:192.168.1.231:22
do you know what's wrong?
Thanks and best regards!
Muiz
Am 27.09.2012 um 10:58 schrieb muiz:> Dear support and users: > Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check? > I cannot login both SSH 2222 and ftp! > Below is my environment: (attachment is shorewall dump)what about the shorewall mailing list? -- LF
From: muiz <muiz at 163.com>> ? Sorry to trouble you! I configure the shorewall firewall to forward ftp and > ssh port to another server, but failed. Can you help me check? > ? I cannot login both SSH 2222 and ftp!http://www.shorewall.net/FAQ.htm#faq1a JD
On 09/27/2012 01:58 AM, muiz wrote:> 1. Gateway (FC6) > 1.1) eth0: lan static IP: 192.168.1.20 > 1.2) eth1: external public static IP: 113.89.142.80 > 2.3) Shorewall-3.2.8 is runningThis is extremely old, and you are allowing access to SSH and DNS services on the firewall itself. ISC Bind, at least, has security problems that should be patched. I strongly recommend that you upgrade this system.> 3. I want to forward internet access FTP and SSH to FTP Server: > 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP) > 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP) > 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)One: FTP doesn't use UDP, regardless of what you see in the services file. You don't need to forward UDP. Two: Port 20 is used for outbound connections from an active mode FTP server. You don't need to forward port 20 in to your server, ever.> 4. Shorewall settings: > 4.1 interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net eth1 113.89.142.255 norfc1918,arp_filte > lan eth0 detect arp_filter > ovpn tun0 - > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEAlthough it doesn't make much difference, you typically don't need to specify your broadcast address.> 4.4 rules > #SECTION RELATED > SECTION NEW > ACCEPT all fw tcp ftp <<< it works for local FTP service (tested) > ACCEPT all fw udp ftp <<< it works for local FTP service > ACCEPT all fw tcp 2222 > ACCEPT all fw tcp ssh,domain > Ping/ACCEPT net fw > ACCEPT all fw tcp 5222 > ACCEPT all fw udp 5222 > ACCEPT:info all $FW tcp 22 > DNAT net lan:192.168.1.231 tcp 21 > DNAT net lan:192.168.1.231 udp 20 > DNAT net lan:192.168.1.231:22 tcp 2222 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEYour ACCEPT rules are blocking your DNAT rules. They're not needed. I've never actually seen the Ping/ACCEPT syntax before, so I'm going to assume that entry is correct. It doesn't exist in Shorewall 4+. Your rules should contain only this (assuming you're actually running an XMPP server on your firewall): Ping/ACCEPT net fw ACCEPT:info all fw tcp 22 ACCEPT all fw tcp domain ACCEPT all fw udp domain ACCEPT all fw tcp 5222 DNAT net lan:192.168.1.231 tcp 21 DNAT net lan:192.168.1.231:22 tcp 2222