Shorewall users - Dec 2004 - [Fwd: 2 ftp serwers problem]

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

The accept rules need to be for the external interface of the
firewall.  Also, you don''t want to use NAT, you want to use REDIRECT. 
The FAQ explains how to accomplish all this very effectively.  Which
is, I''m sure, why Tom just forwarded this to the list rather than
answering it directly.


On Wed, 15 Dec 2004 12:28:02 -0800, Tom Eastep <teastep@shorewall.net>
wrote:
> 
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> 
> 
> 
> ---------- Forwarded message ----------
> From: viuwier <viuwier@wp.pl>
> To: shorewall-announce-owner@lists.shorewall.net
> Date: Wed, 15 Dec 2004 21:24:38 +0100
> Subject: 2 ftp serwers problem
> Hello,
> 
> I have a local network with gateway (192.168.1.1) to internet, it is
> computer with slackware and shorewall.
> 
> I have ftp serwer on my gateway computer, serwer is on 21 port and it
> is accesable for external and internal computers ( from internet and
> local network ).
> 
> Today I have installed Serwer on my local machine (192.168.1.6) on
> port 22019. The serwer is accesable from loal computers in local
> network and also from my gateway.
> 
> Now I want to make to accesable from external (from computers from
> internet). I have made some rules in shorewall:
> 
> rules file:
> ACCEPT  net     fw      tcp     ftp
> ACCEPT  loc:192.168.1.6:22019   net     tcp     22019
> ACCEPT  loc:192.168.1.6:22019   net     udp     22019
> DNAT    net     loc:192.168.1.6:22019 tcp 22019
> DNAT    net     loc:192.168.1.6:22019 udp 22019
> 
> interfaces file:
> net     ppp0    217.96.90.242           #blacklist
> loc     eth0    192.168.1.255           dhcp,maclist,routeback
> 
> modules file:
>     loadmodule ip_tables
>     loadmodule iptable_filter
>     loadmodule ip_conntrack
>     loadmodule ip_conntrack_ftp ports=21,22019
>     loadmodule ip_conntrack_irc
>     loadmodule iptable_nat
>     loadmodule ip_nat_ftp ports=21,22019
>     loadmodule ip_nat_irc
> 
> etc/modules.conf file:
> options ip_conntrack_ftp ports=21,22019
> options ip_nat_ftp ports=21,22019
> 
> Computer rebooted but still I cant connet from external to my ftp
> serwer in local network. What is wrong ?
> 
> --
> Best wishes from Poland
> Maciek
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
>

On Wed, 2004-12-15 at 14:33 -0600, Gary Buckmaster
wrote:
> The accept rules need to be for the external interface of the
> firewall.  Also, you don''t want to use NAT, you want to use
REDIRECT.
> The FAQ explains how to accomplish all this very effectively.  Which
> is, I''m sure, why Tom just forwarded this to the list rather than
> answering it directly.
I forwarded it to the users list because the OP originally sent it to
the ANNOUNCEMENT LIST.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wed, 2004-12-15 at 12:28 -0800, Tom Eastep wrote:
> Email message/mailbox attachment, "Forwarded message - 2 ftp serwers
> problem"
> O
> > 
> > rules file:
> > ACCEPT  net     fw      tcp     ftp
> > ACCEPT  loc:192.168.1.6:22019   net     tcp     22019
> > ACCEPT  loc:192.168.1.6:22019   net     udp     22019
I don''t understand the point of the above two rules but they
aren''t
hurting anything.
> > DNAT    net     loc:192.168.1.6:22019 tcp 22019
> > DNAT    net     loc:192.168.1.6:22019 udp 22019
FTP doesn''t use UDP so the above rule is unnecessary.
> > 
> > interfaces file:
> > net     ppp0    217.96.90.242           #blacklist
> > loc     eth0    192.168.1.255           dhcp,maclist,routeback
> > 
> > modules file:
> >     loadmodule ip_tables
> >     loadmodule iptable_filter
> >     loadmodule ip_conntrack
> >     loadmodule ip_conntrack_ftp ports=21,22019
> >     loadmodule ip_conntrack_irc
> >     loadmodule iptable_nat
> >     loadmodule ip_nat_ftp ports=21,22019
> >     loadmodule ip_nat_irc
> > 
> > etc/modules.conf file:
> > options ip_conntrack_ftp ports=21,22019
> > options ip_nat_ftp ports=21,22019
> > 
> > Computer rebooted but still I cant connet from external to my ftp
> > serwer in local network. What is wrong ?
If you can''t connect then you need to troubleshoot the problem as
described in FAQs 1a and 1b. If you can connect but have problems
transferring data or getting directory listings then I don''t know what
could be wrong; what are you seeing in your logs.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key