Hi all, I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp. the theroy behind passive ftp is , - FTP server''s port 21 from anywhere (Client initiates connection) - FTP server''s port 21 to ports > 1024 (Server responds to client''s control port) - FTP server''s ports > 1024 from anywhere (Client initiates data connection to random port specified by server) - FTP server''s ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client''s data port) Then, How can I write DNAT rules. pls assume 1.2.3.4 is the ip of the internert interface. #DNAT from Internet to the box running VSFTP @ 192.168.100.3 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3 And also #connect to below ip (actual destination ip) with below ports,due to DNATing iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT R u okay with the above 4 rules ? If WRONG, pls write down your rules. I am going to put this vsftp server in to PRODUCTION USE. Pls also make sure , my firewall has below rules such as DROP, ESTABLISHED,RELATED. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT YOUR comments. -- Thank you Indunil Jayasooriya _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote:> I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > passive ftp.Ok...> Then, How can I write DNAT rules.You don''t want to write rules for each possible combination.> YOUR comments.Use the FTP helper module as it is meant to take care of this for you. Grant. . . .
On 10/5/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:> > On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote: > > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > > passive ftp. > > Ok... > > > Then, How can I write DNAT rules. > > You don''t want to write rules for each possible combination. > > > YOUR comments. > > Use the FTP helper module as it is meant to take care of this for you. > > What is FTP helper module?is it ip_nat_ftp ? ANYWAY, I have loaded below 2 modules. /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp YOUR COMMENTS. Grant. . . .> _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >-- Thank you Indunil Jayasooriya _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On 10/05/07 02:16, Indunil Jayasooriya wrote:> What is FTP helper module?As I understand it, the Connection Tracking FTP helper module is essentially a small module / algorithm that you load in to the Connecting Tracking structure (via the below modules) to watch what ftp commands you send out and / or receive so that it can dynamically on the fly update the connection tracking table to allow the other negotiated ports that FTP uses through statefull packet inspection. In other words you should not need to write explicit rules for control and data connections be it active or passive.> is it ip_nat_ftp ?Yes.> ANYWAY, I have loaded below 2 modules. > > /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp > > YOUR COMMENTS.That should work. I''ll have to double check some things to make sure that you don''t need to do any thing special other than just allow the initial connection and rely on the FTP connection tracking helper to handle all other connections. I''ve never run an FTP server behind a NAT, but I''ve never had a problem with the FTP client behind the NAT with the above modules loaded. Though it is my understanding that the module will take care of both. Grant. . . .