Re: ftp behind the firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On February 14, 2005 05:54 pm, Travis Crook wrote:
> On Mon, 2005-02-14 at 09:25 -0800, Hudson Delbert J Contr 61 CS/SCBN
>
> wrote:
> > travis,
> >
> > re-state your scenario. its incomplete.
> >
> > how do you know its running fine?
>
> Normal Web traffic, ftp users outside the firewall coming in, windows
> boxes behind the firewall, etc. are all running and accessing
> information as expected.

	I believe the list will take this to mean that a windows box on the internal 
network can connect to a specific ftp server on the other side of the 
firewall and transfer data without issue, whereas a linux box on the internal 
network cannot connect to the same specific ftp server on the other side of 
the firewall.

	( Lets make the issue clear here -- if I've got the above wrong in any way 
please feel free to correct as nessesary)

	Im gonna drop the internal client to internal ftp server for a different 
question below.

>
> > what distro and version of linux are you running?
>
> Mandrake 8.1, kernel 2.4.8-26mdk
>
> > what doesn the config for ftp look like?
>
> Rules for ftp:
>
> # Network information you will need to adjust
> INTERNALIF="eth1"
> INTERNALNET="192.168.2.0/24"
> INTERNALBCAST="192.168.2.255"
> EXTERNALIF="eth0"
> MYADDR="12.42.147.158"  # Only needed for DNAT, leave out otherwise
>
> #Insert modules- should be done automatically if needed
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
>
> #Allow replies coming in
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> #Send ftp to an internal machine
> $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport
> 20 -j DNAT --to 192.168.2.5:20
> $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 20 -j
> ACCEPT
>
> $IPTABLES -t nat -A PREROUTING -i $EXTERNALIF -p tcp -d $MYADDR --dport
> 21 -j DNAT --to-destination 192.168.2.5
> $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 21 -j
> ACCEPT
> $IPTABLES -A FORWARD -i $EXTERNALIF -o $INTERNALIF -p tcp --syn -d
> 192.168.2.5 --dport 21 -j ACCEPT
> #Masquerade internal connections going out.
> $IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE
>
> > is the blocked by default.
> >
> > when you say my windows machines dont seem ot have this problem..
> > where do these windoze boxen sit?
>
> All computers (linux and windows) are on an internal network connected
> via a switch to the firewall.

	I see something coming here....  but I'll wait for further detail....

	The above rules are setup to forward external ftp connections to an internal 
network based ftp server.  They will *NOT* suffice to handle connections from 
internal clients to the external ip address of the firewall with intent to 
get to the internal ftp server.   You have no rules here that indicate that 
the clients can get out at all .... 

	Please PLEASE tell me that the firewall does NOT have both internal and 
external nics plugged into the same switch.

>
> > anything anybody on this list offers up as a solution will not
> > be thought out well and will basically be a guess.
> >
> > i'm a visual person - draw me pix of your networks and
> > sanitize the ip with rfc1918 addresses and bitmasks as it
>
> Not quite sure I understand this...
>
> > makes no difference as its all cidr.....
>
> Network picture
>
> Internet --> firewall --> internal network (linux and windows)
>
> firewall --> incoming ports: 80, 8080, 110, 25, 443, 143, 20, 21, all
> get routed to internal servers.  The rest are dropped/denied.
>
> internal network: should be completely masqueraded by the firewall
> #Masquerade internal connections going out.
> $IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE
>
> > guessing is a bad idea....
>
> Agreed.
>
> > need waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay more info.
>
> Anything else?  Will gladly provide it.
>
> Thanks!


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux