Dear support and users:
Sorry to trouble you! I configure the shorewall firewall to forward ftp and
ssh port to another server, but failed. Can you help me check?
I cannot login both SSH 2222 and ftp!
Below is my environment: (attachment is shorewall dump)
1. Gateway:
1.1) eth0: lan static IP: 192.168.1.20
1.2) eth1: external public static IP: 113.89.142.80
2.3) Shorewall-3.2.8 is running
2. FTP Server:
2.1) eth0: lan static IP: 192.168.1.231
2.2) Open SSH port 22 and FTP port 20, 21 already (tested)
3. I want to forward internet access FTP and SSH to FTP Server:
3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP)
3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP)
3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)
4. Shorewall settings:
4.1 interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 113.89.142.255 norfc1918,arp_filte
lan eth0 detect arp_filter
ovpn tun0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
4.2 zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS
OPTIONS
fw firewall
net ipv4
lan ipv4
ovpn ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
4.3 policy
#SOURCE DEST POLICY LOG
LIMIT:BURST
# LEVEL
fw all ACCEPT
lan net ACCEPT
lan fw ACCEPT
lan ovpn ACCEPT
ovpn lan ACCEPT
net all DROP
all all REJECT
#LAST LINE -- DO NOT REMOVE
4.4 rules
#SECTION RELATED
SECTION NEW
ACCEPT all fw tcp ftp <<< it works for
local FTP service (tested)
ACCEPT all fw udp ftp <<< it works for local
FTP service
ACCEPT all fw tcp 2222
ACCEPT all fw tcp ssh,domain
ACCEPT all fw udp domain,openvpn
ACCEPT ovpn fw tcp 902,10000
Ping/ACCEPT net fw
ACCEPT all fw tcp 5222
ACCEPT all fw udp 5222
ACCEPT:info all $FW tcp 22
DNAT net lan:192.168.1.231 tcp 21
DNAT net lan:192.168.1.231 udp 20
DNAT net lan:192.168.1.231:22 tcp 2222
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
5. # cat /proc/sys/net/ipv4/ip_forward
1
6. more /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp
ip_conntrack_ftp"
Thanks and Best regards,
Muiz
------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\''t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/22/2012 03:22 AM, muiz wrote:> Dear support and users: > Sorry to trouble you! I configure the shorewall firewall to forward > ftp and ssh port to another server, but failed. Can you help me check? > I cannot login both SSH 2222 and ftp! > Below is my environment: (attachment is shorewall dump)Muiz, It appears that the SSH and FTP connection requests aren''t reaching your firewall. From the dump: Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.1.231 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:20 to:192.168.1.231 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 to:192.168.1.231:22 Please refer to the Port Forwarding troubleshooting tips described in Shorewall FAQs 1a and 1b. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Dear Tom Eastep,
Thanks very much!
I study the (FAQ 1b) and change the 192.168.1.231''s gateway to
192.168.1.20 ( gateway''s internal interface eth0), but still
don''t work.
Below is the shorewall dump: the server can read the SSH and FTP''s
request from internet. (before testing, i run shorewall reset to clear all
Netfilter counters)
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
3 156 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 to:192.168.1.231
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:20 to:192.168.1.231
5 260 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:2222 to:192.168.1.231:22
gateway: eth0 internal: 192.168.1.20
eth1 external: 113.89.142.80
Shorewall rules:
SECTION NEW
DNAT net lan:192.168.1.231 tcp 21
DNAT net lan:192.168.1.231 udp 20
ACCEPT all fw tcp ssh,domain
ACCEPT all fw udp domain,openvpn
ACCEPT ovpn fw tcp 902,10000
Ping/ACCEPT net fw
ACCEPT all fw tcp 5222
ACCEPT all fw udp 5222
DNAT net lan:192.168.1.231:22 tcp 2222
interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 113.89.142.255 norfc1918,arp_filte
lan eth0 detect arp_filter
ovpn tun0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
At 2012-09-22 23:00:44,"Tom Eastep" <teastep@shorewall.net>
wrote:>On 09/22/2012 03:22 AM, muiz wrote:
>> Dear support and users:
>> Sorry to trouble you! I configure the shorewall firewall to forward
>> ftp and ssh port to another server, but failed. Can you help me check?
>> I cannot login both SSH 2222 and ftp!
>> Below is my environment: (attachment is shorewall dump)
>
>Muiz,
>
>It appears that the SSH and FTP connection requests aren''t reaching
your
>firewall. From the dump:
>
>Chain net_dnat (1 references)
> pkts bytes target prot opt in out source
>destination
> 0 0 DNAT tcp -- * * 0.0.0.0/0
>0.0.0.0/0 tcp dpt:21 to:192.168.1.231
> 0 0 DNAT udp -- * * 0.0.0.0/0
>0.0.0.0/0 udp dpt:20 to:192.168.1.231
> 0 0 DNAT tcp -- * * 0.0.0.0/0
>0.0.0.0/0 tcp dpt:2222 to:192.168.1.231:22
>
>Please refer to the Port Forwarding troubleshooting tips described in
>Shorewall FAQs 1a and 1b.
>
>Thanks,
>-Tom
>--
>Tom Eastep \ When I die, I want to go like my Grandfather who
>Shoreline, \ died peacefully in his sleep. Not screaming like
>Washington, USA \ all of the passengers in his car
>http://shorewall.net \________________________________________________
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/