Dear all, Dear support and users: Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check? I cannot login both SSH 2222 and ftp! Below is my environment: (attachment is shorewall dump) 1. Gateway (FC6) 1.1) eth0: lan static IP: 192.168.1.20 1.2) eth1: external public static IP: 113.89.142.80 2.3) Shorewall-3.2.8 is running 2. FTP Server: (Centos63, iptables and selinux are off) 2.1) eth0: lan static IP: 192.168.1.231 2.2) Open SSH port 22 and FTP port 20, 21 already (tested) 2.3) vsftp.conf : use default settings and it works for internal users 3. I want to forward internet access FTP and SSH to FTP Server: 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP) 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP) 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH) 4. Shorewall settings: 4.1 interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 113.89.142.255 norfc1918,arp_filte lan eth0 detect arp_filter ovpn tun0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 4.2 zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 lan ipv4 ovpn ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE 4.3 policy #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL fw all ACCEPT lan net ACCEPT lan fw ACCEPT lan ovpn ACCEPT ovpn lan ACCEPT net all DROP all all REJECT #LAST LINE -- DO NOT REMOVE 4.4 rules #SECTION RELATED SECTION NEW ACCEPT all fw tcp ftp <<< it works for local FTP service (tested) ACCEPT all fw udp ftp <<< it works for local FTP service ACCEPT all fw tcp 2222 ACCEPT all fw tcp ssh,domain Ping/ACCEPT net fw ACCEPT all fw tcp 5222 ACCEPT all fw udp 5222 ACCEPT:info all $FW tcp 22 DNAT net lan:192.168.1.231 tcp 21 DNAT net lan:192.168.1.231 udp 20 DNAT net lan:192.168.1.231:22 tcp 2222 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 5. # cat /proc/sys/net/ipv4/ip_forward 1 6. more /etc/sysconfig/iptables-config IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp" Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 3 156 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.1.231 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:20 to:192.168.1.231 5 260 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 to:192.168.1.231:22 do you know what's wrong? Thanks and best regards! Muiz
Am 27.09.2012 um 10:58 schrieb muiz:> Dear support and users: > Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check? > I cannot login both SSH 2222 and ftp! > Below is my environment: (attachment is shorewall dump)what about the shorewall mailing list? -- LF
From: muiz <muiz at 163.com>> ? Sorry to trouble you! I configure the shorewall firewall to forward ftp and > ssh port to another server, but failed. Can you help me check? > ? I cannot login both SSH 2222 and ftp!http://www.shorewall.net/FAQ.htm#faq1a JD
On 09/27/2012 01:58 AM, muiz wrote:> 1. Gateway (FC6) > 1.1) eth0: lan static IP: 192.168.1.20 > 1.2) eth1: external public static IP: 113.89.142.80 > 2.3) Shorewall-3.2.8 is runningThis is extremely old, and you are allowing access to SSH and DNS services on the firewall itself. ISC Bind, at least, has security problems that should be patched. I strongly recommend that you upgrade this system.> 3. I want to forward internet access FTP and SSH to FTP Server: > 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP) > 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP) > 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)One: FTP doesn't use UDP, regardless of what you see in the services file. You don't need to forward UDP. Two: Port 20 is used for outbound connections from an active mode FTP server. You don't need to forward port 20 in to your server, ever.> 4. Shorewall settings: > 4.1 interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net eth1 113.89.142.255 norfc1918,arp_filte > lan eth0 detect arp_filter > ovpn tun0 - > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEAlthough it doesn't make much difference, you typically don't need to specify your broadcast address.> 4.4 rules > #SECTION RELATED > SECTION NEW > ACCEPT all fw tcp ftp <<< it works for local FTP service (tested) > ACCEPT all fw udp ftp <<< it works for local FTP service > ACCEPT all fw tcp 2222 > ACCEPT all fw tcp ssh,domain > Ping/ACCEPT net fw > ACCEPT all fw tcp 5222 > ACCEPT all fw udp 5222 > ACCEPT:info all $FW tcp 22 > DNAT net lan:192.168.1.231 tcp 21 > DNAT net lan:192.168.1.231 udp 20 > DNAT net lan:192.168.1.231:22 tcp 2222 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEYour ACCEPT rules are blocking your DNAT rules. They're not needed. I've never actually seen the Ping/ACCEPT syntax before, so I'm going to assume that entry is correct. It doesn't exist in Shorewall 4+. Your rules should contain only this (assuming you're actually running an XMPP server on your firewall): Ping/ACCEPT net fw ACCEPT:info all fw tcp 22 ACCEPT all fw tcp domain ACCEPT all fw udp domain ACCEPT all fw tcp 5222 DNAT net lan:192.168.1.231 tcp 21 DNAT net lan:192.168.1.231:22 tcp 2222