vsFTP and shorewall

muiz <muiz@xxxxxxx> · Thu, 27 Sep 2012 16:58:41 +0800 (CST)

 Dear all, 

Dear support and users:
   Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check?
   I cannot login both SSH 2222 and ftp!
   Below is my environment:  (attachment is shorewall dump)  

1. Gateway (FC6)  
  1.1) eth0:  lan static IP:  192.168.1.20
  1.2) eth1:  external public static IP:  113.89.142.80
  2.3) Shorewall-3.2.8 is running

2. FTP Server: (Centos63, iptables and selinux are off) 
  2.1) eth0:  lan static IP: 192.168.1.231
  2.2) Open SSH port 22 and FTP port 20, 21 already (tested)
  2.3) vsftp.conf : use default settings  and it works for internal users

3. I want to forward internet access FTP and SSH to FTP Server:
     3.1)  113.89.142.80: 20   -> 192.168.1.231:20  udp    (FTP)
     3.2)  113.89.142.80: 21   -> 192.168.1.231:21  tcp     (FTP)
     3.3)  113.89.142.80: 2222   -> 192.168.1.231:22  tcp  (SSH)

4. Shorewall settings:
    4.1 interfaces
              #ZONE   INTERFACE       BROADCAST       OPTIONS
              net     eth1             113.89.142.255 norfc1918,arp_filte
              lan     eth0            detect          arp_filter
              ovpn    tun0            -
             #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
   4.2 zones
           #ZONE   TYPE            OPTIONS         IN                      OUT
          #                                       OPTIONS                 OPTIONS
          fw      firewall
          net     ipv4
          lan     ipv4
           ovpn    ipv4
         #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
   4.3 policy
            #SOURCE         DEST            POLICY          LOG             LIMIT:BURST
            #                                               LEVEL
            fw              all             ACCEPT
            lan             net             ACCEPT
            lan             fw              ACCEPT
            lan             ovpn            ACCEPT
            ovpn            lan             ACCEPT
            net             all             DROP
            all             all             REJECT
            #LAST LINE -- DO NOT REMOVE
    4.4 rules
            #SECTION RELATED
SECTION NEW
ACCEPT  all     fw      tcp     ftp               <<< it works for local FTP service (tested)
ACCEPT  all     fw      udp     ftp              <<< it works for local FTP service
ACCEPT  all     fw      tcp     2222
ACCEPT  all     fw      tcp     ssh,domain
Ping/ACCEPT     net     fw
ACCEPT  all     fw      tcp     5222
ACCEPT  all     fw      udp     5222
ACCEPT:info     all     $FW     tcp     22
DNAT    net     lan:192.168.1.231      tcp     21
DNAT    net     lan:192.168.1.231       udp    20
DNAT    net     lan:192.168.1.231:22       tcp     2222
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

  5. # cat /proc/sys/net/ipv4/ip_forward
      1

  6. more /etc/sysconfig/iptables-config
      IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp"

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   156 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 to:192.168.1.231
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:20 to:192.168.1.231
    5   260 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 to:192.168.1.231:22

do you know what's wrong?

Thanks and best regards!
Muiz

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos