Jayel
2003-Jun-16 22:26 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
Here''s the original thread -->> http://lists.shorewall.net/pipermail/shorewall-users/2003-April/006019.html. Well I have several thought that my solve this problem after coming back to it after so long. On my Windows FTP server (raidenftpd software), it is asking for a host. I put there "dynamichost.dyndns.org" (sample only). maybe this is wrong. Maybe I should''ve put the actual IP of the Windows PC which is 192.168.2.2. I do know PASV works on this software as I''ve used it work with much success. I''m not saying shorewall is to blame. it could most probably be my config. Thank you. Jayel _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
Tom Eastep
2003-Jun-17 07:02 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
On Mon, 2003-06-16 at 22:26, Jayel wrote:> Here''s the original thread -->> http://lists.shorewall.net/pipermail/shorewall-users/2003-April/006019.html. > > Well I have several thought that my solve this problem after coming back to it after so long. > > On my Windows FTP server (raidenftpd software), it is asking for a host. I put there "dynamichost.dyndns.org" (sample only). maybe this is wrong. Maybe I should''ve put the actual IP of the Windows PC which is 192.168.2.2. > > I do know PASV works on this software as I''ve used it work with much success. I''m not saying shorewall is to blame. it could most probably be my config. >I told you the first time and I''ll tell you only once more -- DO NOT SPECIFY A MASQUERADE IP ADDRESS TO YOUR FTP SERVER. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-17 09:00 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
On Tue, 2003-06-17 at 07:02, Tom Eastep wrote:> On Mon, 2003-06-16 at 22:26, Jayel wrote: > > Here''s the original thread -->> http://lists.shorewall.net/pipermail/shorewall-users/2003-April/006019.html. > > > > Well I have several thought that my solve this problem after coming back to it after so long. > > > > On my Windows FTP server (raidenftpd software), it is asking for a host. I put there "dynamichost.dyndns.org" (sample only). maybe this is wrong. Maybe I should''ve put the actual IP of the Windows PC which is 192.168.2.2. > > > > I do know PASV works on this software as I''ve used it work with much success. I''m not saying shorewall is to blame. it could most probably be my config. > > > > I told you the first time and I''ll tell you only once more -- DO NOT > SPECIFY A MASQUERADE IP ADDRESS TO YOUR FTP SERVER.I have just reproduced your environment on my own firewall. In my case, the rule is: DNAT loc dmz:206.124.146.177:21 tcp 23000 - 192.168.1.193 While this is backward to the way one normally does port forwarding (usually a public IP address is forwarded to a private one) this setup is nevertheless equivalent to yours. In /etc/shorewall/modules: loadmodule ip_conntrack_ftp ports=21,23000 loadmodule ip_nat_ftp ports=21,23000 I made NO CHANGES to my ftp server configuration.>From my local network:[teastep@wookie Shorewall]$ ftp ftp> open mail 23000 Connected to lists.shorewall.net. 220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=- 220-You are user number 1 of 50 allowed. 220-Local time is now 08:46 and the load is 0.14. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. 500 Security extensions not implemented 500 Security extensions not implemented KERBEROS_V4 rejected as an authentication type Name (mail:teastep): ftp 331-Welcome to ftp.shorewall.net 331- 331 Any password will work Password: 230 Any password will work Remote system type is UNIX. Using binary mode to transfer files. ftp> passive Passive mode off. ftp> passive Passive mode on. ftp> ls 227 Entering Passive Mode (192,168,1,193,202,172) 150 Accepted data connection drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub 226-Options: -l 226 3 matches total ftp> quit 221-Goodbye. You uploaded 0 and downloaded 0 kbytes. 221 Logout - CPU time spent: 0.020 seconds. [teastep@wookie Shorewall]$ -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-17 15:52 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
On Tue, 2003-06-17 at 07:02, Tom Eastep wrote:> > I told you the first time and I''ll tell you only once more -- DO NOT > SPECIFY A MASQUERADE IP ADDRESS TO YOUR FTP SERVER.I apologize if it wasn''t you that I made this point to recently. FTP servers permit specifying the external IP address of the firewall to compensate for broken/stupid firewall''s that don''t handle FTP as well as Netfilter does. With Netfilter, using this FTP server facility actually breaks the firewall''s handling of FTP. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Jayel
2003-Jun-17 19:27 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
Just a clarification on this rule:
DNAT loc dmz:206.124.146.177:21 tcp 23000 - 192.168.1.193
1. I assume you are trying to connect from your LAN inside the firewall?
2. is 206.124.146.177 your IP given by the ISP/telco? what if I''m using
ADSL which has dynamic IP, how would I represent that in the rule?
3. What''s the 21 after 206.124.146.177? Does it mean that the
"world" can see an FTP server at 206.124.146.177 port 21?
4. Is 192.168.1.193 the non-routable IP of your DMZ server running the FTP
software?
so if my assumptions are correct, then my rule if I''m trying to connect
to my FTP from work should be:
DNAT net dmz:ip_here:23000 tcp 23000 - 192.168.2.2
I tried this rule and it wouldn''t work. I get this message from dmesg:
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=work_ip DST=IP_given_by_ISP LEN=48
TOS=0x00 PREC=0x00 TTL=112 ID=5774 DF PROTO=TCP SPT=1821 DPT=23000 WINDOW=64240
RES=0x00 SYN URGP=0
My FTP server is still using "dynamic_dns_here.dyndns.org" as its host
in the config. If this is wrong then I assume I must use
"192.168.2.2". right?
Thank you
Jayel
--- On Tue 06/17, Tom Eastep < teastep@shorewall.net > wrote:
From: Tom Eastep [mailto: teastep@shorewall.net]
To: jarthel@excite.com
Cc: shorewall-users@lists.shorewall.net
Date: 17 Jun 2003 09:00:43 -0700
Subject: Re: [Shorewall-users] my problem with runing a passive FTP server in
DMZ
On Tue, 2003-06-17 at 07:02, Tom Eastep wrote:<br>> On Mon, 2003-06-16
at 22:26, Jayel wrote:<br>> > Here''s the original thread
-->>
http://lists.shorewall.net/pipermail/shorewall-users/2003-April/006019.html.
<br>> > <br>> > Well I have several thought that my
solve this problem after coming back to it after so long.<br>> >
<br>> > On my Windows FTP server (raidenftpd software), it is asking
for a host. I put there "dynamichost.dyndns.org" (sample only). maybe
this is wrong. Maybe I should''ve put the actual IP of the Windows PC
which is 192.168.2.2.<br>> > <br>> > I do know PASV
works on this software as I''ve used it work with much success.
I''m not saying shorewall is to blame. it could most probably be my
config.<br>> > <br>> <br>> I told you the first
time and I''ll tell you only once more -- DO NOT<br>> SPECIFY A
MASQUERADE IP ADDRESS TO YOUR FTP SERVER.<br><br>I have just
reproduced your environment on my own firewall. In my case,<br>the rule
is:<br><br>DNAT loc dmz:206.1
24.146.177:21 tcp 23000 - 192.168.1.193<br><br>While this is
backward to the way one normally does port forwarding<br>(usually a public
IP address is forwarded to a private one) this setup<br>is nevertheless
equivalent to yours.<br><br>In
/etc/shorewall/modules:<br><br> loadmodule ip_conntrack_ftp
ports=21,23000<br> loadmodule ip_nat_ftp
ports=21,23000<br><br>I made NO CHANGES to my ftp server
configuration.<br><br>>From my local
network:<br><br>[teastep@wookie Shorewall]$ ftp<br>ftp>
open mail 23000<br>Connected to
lists.shorewall.net.<br>220-=(<*>)=-.:. (( Welcome to PureFTPd
1.0.12 )) .:.-=(<*>)=-<br>220-You are user number 1 of 50
allowed.<br>220-Local time is now 08:46 and the load is 0.14. Server port:
21.<br>220 You will be disconnected after 15 minutes of
inactivity.<br>500 Security extensions not implemented<br>500
Security extensions not implemented<br>KERBEROS_V4 rejected as an
authentication type<br>Name (mail:teastep): ftp<br>331-Welcome to
ftp.shorewall.n
et<br>331-<br>331 Any password will
work<br>Password:<br>230 Any password will work<br>Remote
system type is UNIX.<br>Using binary mode to transfer
files.<br>ftp> passive<br>Passive mode off.<br>ftp>
passive<br>Passive mode on.<br>ftp> ls<br>227 Entering
Passive Mode (192,168,1,193,202,172)<br>150 Accepted data
connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002
archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002
etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24
pub<br>226-Options: -l<br>226 3 matches total<br>ftp>
quit<br>221-Goodbye. You uploaded 0 and downloaded 0 kbytes.<br>221
Logout - CPU time spent: 0.020 seconds.<br>[teastep@wookie
Shorewall]$<br><br>-Tom<br>-- <br>Tom Eastep \
Shorewall - iptables made easy<br>Shoreline, \
http://www.shorewall.net<br>Washington USA \
teastep@shorewall.net<br><br>
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
Tom Eastep
2003-Jun-17 19:32 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
On Tue, 17 Jun 2003, Jayel wrote:> > Just a clarification on this rule: > > DNAT loc dmz:206.124.146.177:21 tcp 23000 - 192.168.1.193 > > 1. I assume you are trying to connect from your LAN inside the firewall?Yes.> > 2. is 206.124.146.177 your IP given by the ISP/telco? what if I''m using ADSL which has dynamic IP, how would I represent that in the rule? >No -- it''s the IP address of my server in my DMZ.> 3. What''s the 21 after 206.124.146.177? Does it mean that the "world" can see an FTP server at 206.124.146.177 port 21?It means that the server is listening on port 21.> > 4. Is 192.168.1.193 the non-routable IP of your DMZ server running the FTP software? >It''s just an IP address that I added to my local network.> so if my assumptions are correct, then my rule if I''m trying to connect to my FTP from work should be: > > DNAT net dmz:ip_here:23000 tcp 23000 - 192.168.2.2 >No --> I tried this rule and it wouldn''t work. I get this message from dmesg: > > Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=work_ip DST=IP_given_by_ISP LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=5774 DF PROTO=TCP SPT=1821 DPT=23000 WINDOW=64240 RES=0x00 SYN URGP=0 > > My FTP server is still using "dynamic_dns_here.dyndns.org" as its host in the config. If this is wrong then I assume I must use "192.168.2.2". right? >It should use it''s own IP address (or preferably, it should just not have any value for this attribute which isn''t needed but which you insist on providing). -Tom Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-17 19:48 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
On Tue, 17 Jun 2003, Tom Eastep wrote:> > > so if my assumptions are correct, then my rule if I''m trying to connect to my FTP from work should be: > > > > DNAT net dmz:ip_here:23000 tcp 23000 - 192.168.2.2 > > > > No -- >You have reversed the server IP address and the external IP address. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Jayel
2003-Jun-17 21:36 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
What is this IP for "192.168.1.193"? From my understand ing
"original destination" column and from your previous replies, this
rule means:
DNAT loc dmz:206.124.146.177:21 tcp 23000 - 192.168.1.193
PC located at 192.168.1.193 port=23000 is listening for incoming FTP connection
request. Once a request is received, the request is passed on to actual PC
running the FTP server located at 206.124.146.177 port=21.
So the correct rule that I should use if I''m connecting from work to my
home LAN is:
DNAT net dmz:192.168.2.2:23000 tcp 23000 - IP_given_by_ISP
right?
If I''m incorrect, can you please post the correct rule?
Also how do I account for dynamic IP? Can I put for example 210.12.2.0/24 in the
original dest column?
Thanks
Jayel
--- On Tue 06/17, Tom Eastep < teastep@shorewall.net > wrote:
From: Tom Eastep [mailto: teastep@shorewall.net]
To: jarthel@excite.com
Cc: shorewall-users@lists.shorewall.net
Date: Tue, 17 Jun 2003 19:48:35 -0700 (Pacific Daylight Time)
Subject: Re: [Shorewall-users] my problem with runing a passive FTP server in
DMZ
On Tue, 17 Jun 2003, Tom Eastep wrote:<br><br>><br>>
> so if my assumptions are correct, then my rule if I''m trying to
connect to my FTP from work should be:<br>> ><br>> >
DNAT net dmz:ip_here:23000 tcp 23000 - 192.168.2.2<br>>
><br>><br>> No
--<br>><br><br><br>You have reversed the server IP
address and the external IP
address.<br><br>-Tom<br>--<br>Tom Eastep \ Shorewall
- iptables made easy<br>Shoreline, \
http://www.shorewall.net<br>Washington USA \
teastep@shorewall.net<br>
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
Tom Eastep
2003-Jun-18 06:03 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
On Tue, 2003-06-17 at 21:36, Jayel wrote:> What is this IP for "192.168.1.193"? From my understand ing "original destination" column and from your previous replies, this rule means: > > DNAT loc dmz:206.124.146.177:21 tcp 23000 - 192.168.1.193 > > PC located at 192.168.1.193 port=23000 is listening for incoming FTP connection request. Once a request is received, the request is passed on to actual PC running the FTP server located at 206.124.146.177 port=21. > > So the correct rule that I should use if I''m connecting from work to my home LAN is: > > DNAT net dmz:192.168.2.2:23000 tcp 23000 - IP_given_by_ISP > > right?Correct.> > If I''m incorrect, can you please post the correct rule? > > Also how do I account for dynamic IP? Can I put for example 210.12.2.0/24 in the original dest column? >This is covered in the FAQ -- see the answer to FAQ #2. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-18 06:59 UTC
[Shorewall-users] my problem with runing a passive FTP server in DMZ
On Wed, 2003-06-18 at 06:03, Tom Eastep wrote:> > > > Also how do I account for dynamic IP? Can I put for example 210.12.2.0/24 in the original dest column? > > > > This is covered in the FAQ -- see the answer to FAQ #2.If you have only a single public IP address, you can just leave that column empty. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net