Hello,
I have a local network with gateway (192.168.1.1) to internet, it is
computer with slackware and shorewall.
I have ftp serwer on my gateway computer, serwer is on 21 port and it
is accesable for external and internal computers ( from internet and
local network ).
Today I have installed Serwer on my local machine (192.168.1.6) on
port 22019. The serwer is accesable from loal computers in local
network and also from my gateway.
Now I want to make to accesable from external (from computers from
internet). I have made some rules in shorewall:
rules file:
ACCEPT net fw tcp ftp
ACCEPT loc:192.168.1.6:22019 net tcp 22019
ACCEPT loc:192.168.1.6:22019 net udp 22019
DNAT net loc:192.168.1.6:22019 tcp 22019
DNAT net loc:192.168.1.6:22019 udp 22019
interfaces file:
net ppp0 217.96.90.242 #blacklist
loc eth0 192.168.1.255 dhcp,maclist,routeback
modules file:
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp ports=21,22019
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp ports=21,22019
loadmodule ip_nat_irc
etc/modules.conf file:
options ip_conntrack_ftp ports=21,22019
options ip_nat_ftp ports=21,22019
Computer rebooted but still I cant connet from external to my ftp
serwer in local network. What is wrong ?
--
Best wishes from Poland
Maciek
On Wed, 2004-12-15 at 23:19 +0100, viuwier wrote:> > Computer rebooted but still I cant connet from external to my ftp > serwer in local network. What is wrong ?I''ve forwarded my earlier response off-list. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> I''ve forwarded my earlier response off-list.Thanks. I can''t connect from external network to local computer, there is not a conenction. Also I don''t have probles from FAQ 1a. I have made instructions from 1b and packet count is zero, it isn''t blocked by my ISP and I am not trying to connect secondary IP. I was wondering ... maybe should I use REDIRECT rule ? How to use it ? I can''t find it in FAQ. Also I don''t know that I have this option in my slackware 9.0 kernel. There is a way to check it ? -- best wishes from Poland, Maciej Kurkiewicz ICQ: 3385742
On Sat, 2004-12-18 at 15:58 +0100, viuwier wrote:> > I can''t connect from external network to local computer, there is not > a conenction. Also I don''t have probles from FAQ 1a. I have made > instructions from 1b and packet count is zero, it isn''t blocked by my > ISP and I am not trying to connect secondary IP. > > I was wondering ... maybe should I use REDIRECT rule ? How to use it ? > I can''t find it in FAQ. Also I don''t know that I have this option in > my slackware 9.0 kernel. There is a way to check it ?If the packet counts in the ''nat'' table are not incrementing then either: a) Your firewall is not receiving the connection requests; or b) Your rule doesn''t match the connection requests. Either way, using REDIRECT will *NOT* solve your problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-19 at 17:25 +0100, viuwier wrote:> I have made some mistakes checking my ftp serwer on local machine, I > was connecting from my gateway to my external IP so why I can''t > connect.THINK! What is the source zone of the connection? What is the destination zone of the connection? Do your rules allow that connection? Do they specify rewriting the destination IP address for that connection (DNAT)?> > Now I have checked it from external computer, rules are the same as I > wrote earlier. The connection is OK, also: > > root@hades:/etc/shorewall# shorewall show nat | grep 22019 > 1 60 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22019 to:192.168.1.6:22019 > 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22019 to:192.168.1.6:22019 > > .. packets are coming through firewall. But, when I want to show > directories on ftp serwer then it is not work. > > On external machine: > > mkurkiewicz@jota6:~$ ftp 217.96.90.134 22019 > Connected to 217.96.90.134. > 220 awaiting Input > Name (217.96.90.134:mkurkiewicz): kasia > 331 Password required for kasia. > Password: > 230 User kasia logged in. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls > 200 Port command successful. > 150 Opening data connection for directory list. > > //here is waiting verylong time and waiting, waiting .... > > So, connection is reaching my local computer (192.168.1.6) but I can''t > browse files on ftp serwer. What is wrong ? >http://www.shorewall.net/FTP.html shows you how to debug these problems -- do it! These are symptoms that the helper modules aren''t loaded, are loaded without the right parameters, are broken or that your FTP client is sending the PORT command in two packets so that the helpers can''t handle it (you should be seeing FTP PARTIAL messages in your log if that is the case and the above URL also provides guidance in working around that problem). Given that you are using active mode FTP, the log on the server should contain the information you need. And please stop posting off the list! This is your last warning and I will stop helping you entirely if you do it again. I don''t offer private hand-holding; I spend enough of my time trying to solve you people''s problems without trying to give each of you private sessions. My list server automatically sets the Reply-to: address to the list itself so you have to go out of your way to reply off-list (unless you have a badly broken mailer). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key