Thanks very much!
I modified the shorewall settings, but still cannot forward those ports.
Now I'm open the port 2121 and 2222 on shorewall, then use "rinetd" to forward TCP request:
Gateway 2222 -> 192.168.1.231:22
Gateway 2121 -> 192.168.1.231:21
Gateway 6000 - 6010-> 192.168.1.231:6000 - 6010
Both SSH and FTP works.
I will upgrade the system to CentOS 6.3 next month.
At 2012-09-30 05:18:34,"Gordon Messmer" <yinyang@xxxxxxxxx> wrote:
>On 09/27/2012 01:58 AM, muiz wrote:
>> 1. Gateway (FC6)
>> 1.1) eth0: lan static IP: 192.168.1.20
>> 1.2) eth1: external public static IP: 113.89.142.80
>> 2.3) Shorewall-3.2.8 is running
>
>This is extremely old, and you are allowing access to SSH and DNS
>services on the firewall itself. ISC Bind, at least, has security
>problems that should be patched. I strongly recommend that you upgrade
>this system.
>
>> 3. I want to forward internet access FTP and SSH to FTP Server:
>> 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp (FTP)
>> 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP)
>> 3.3) 113.89.142.80: 2222 -> 192.168.1.231:22 tcp (SSH)
>
>One: FTP doesn't use UDP, regardless of what you see in the services
>file. You don't need to forward UDP.
>
>Two: Port 20 is used for outbound connections from an active mode FTP
>server. You don't need to forward port 20 in to your server, ever.
>
>> 4. Shorewall settings:
>> 4.1 interfaces
>> #ZONE INTERFACE BROADCAST OPTIONS
>> net eth1 113.89.142.255 norfc1918,arp_filte
>> lan eth0 detect arp_filter
>> ovpn tun0 -
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>Although it doesn't make much difference, you typically don't need to
>specify your broadcast address.
>
>> 4.4 rules
>> #SECTION RELATED
>> SECTION NEW
>> ACCEPT all fw tcp ftp <<< it works for local FTP service (tested)
>> ACCEPT all fw udp ftp <<< it works for local FTP service
>> ACCEPT all fw tcp 2222
>> ACCEPT all fw tcp ssh,domain
>> Ping/ACCEPT net fw
>> ACCEPT all fw tcp 5222
>> ACCEPT all fw udp 5222
>> ACCEPT:info all $FW tcp 22
>> DNAT net lan:192.168.1.231 tcp 21
>> DNAT net lan:192.168.1.231 udp 20
>> DNAT net lan:192.168.1.231:22 tcp 2222
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>Your ACCEPT rules are blocking your DNAT rules. They're not needed.
>
>I've never actually seen the Ping/ACCEPT syntax before, so I'm going to
>assume that entry is correct. It doesn't exist in Shorewall 4+.
>
>Your rules should contain only this (assuming you're actually running an
>XMPP server on your firewall):
>
>Ping/ACCEPT net fw
>ACCEPT:info all fw tcp 22
>ACCEPT all fw tcp domain
>ACCEPT all fw udp domain
>ACCEPT all fw tcp 5222
>DNAT net lan:192.168.1.231 tcp 21
>DNAT net lan:192.168.1.231:22 tcp 2222
>
>_______________________________________________
>CentOS mailing list
>CentOS@xxxxxxxxxx
>http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
