-------- Original Message -------- Subject: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP) Date: Fri, 05 Oct 2007 12:17:42 +0530 From: Mohan Sundaram <smohan@vsnl.com> Reply-To: smohan@vsnl.com To: Indunil Jayasooriya <indunil75@gmail.com> References: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> Indunil Jayasooriya wrote:> Hi all, > > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > passive ftp. > > the theroy behind passive ftp is , > > * FTP server''s port 21 from anywhere ( Client initiates connection) > * FTP server''s port 21 to ports > 1024 (Server responds to client''s > control port) > * FTP server''s ports > 1024 from anywhere (Client initiates data > connection to random port specified by server) > * FTP server''s ports > 1024 to remote ports > 1024 (Server sends > ACKs (and data) to client''s data port) > > > > Then, How can I write DNAT rules. > > pls assume 1.2.3.4 <http://1.2.3.4> is the ip of the internert interface. > > #DNAT from Internet to the box running VSFTP @ 192.168.100.3 > <http://192.168.100.3> > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> > --dport 21 -j DNAT --to-destination 192.168.100.3:21 > <http://192.168.100.3:21> > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> > --dport 1024: -j DNAT --to-destination 192.168.100.3 <http://192.168.100.3> > > And also > #connect to below ip (actual destination ip) with below ports,due to > DNATing > iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> > --dport 21 -m state --state NEW -j ACCEPT > iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> > --dport 1024: -m state --state NEW -j ACCEPT > > > R u okay with the above 4 rules ? > > If WRONG, pls write down your rules. I am going to put this vsftp server > in to PRODUCTION USE. > > > Pls also make sure , my firewall has below rules such as DROP, > ESTABLISHED,RELATED. > > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > YOUR comments. > > > -- > Thank you > Indunil JayasooriyaIf you want to run apps with different ports for control and data, you need to run ALG or Connection tracking helper ip_conntrack_ftp. Extracted from http://www.kalamazoolinux.org/presentations/20010417/conntrack.html Connection tracking and ftp Firstly, you need to load the ip_conntrack_ftp module. Assuming you have a single-homed box, a simple ruleset to allow an ftp connection would be: iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT (Please note, I am assuming here you have a separate ruleset to allow any icmp RELATED to the conection. Please see my example ruleset for this). This is not the whole story. An ftp connection also needs a data-channel, which can be provided in one of two ways: 1) Active ftp The ftp client sends a port number over the ftp channel via a PORT command to the ftp server. The ftp server then connects from port 20 to this port to send data, such as a file, or the output from an ls command. The ftp-data connection is in the opposite sense from the original ftp connection. To allow active ftp without knowing the port number that has been passed we need a general rule which allows connections from port 20 on remote ftp servers to high ports (port numbers > 1023) on ftp clients. This is simply too general to ever be secure. Enter the ip_conntrack_ftp module. This module is able to recognize the PORT command and pick-out the port number. As such, the ftp-data connection can be classified as RELATED to the original outgoing connection to port 21 so we don''t need NEW as a state match for the connection in the INPUT chain. The following rules will serve our purposes grandly: iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 2) Passive ftp A PORT command is again issued, but this time it is from the server to the client. The client connects to the server for data transfer. Since the connection is in the same sense as the original ftp connection, passive ftp is inherently more secure than active ftp, but note that this time we know even less about the port numbers. Now we have a connection between almost arbitrary port numbers. Enter the ip_conntrack_ftp module once more. Again, this module is able to recognize the PORT command and pick-out the port number. Instead of NEW in the state match for the OUTPUT chain, we can use RELATED. The following rules will suffice: iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT Mohan