Hi Dan,
In the lab, I just tested using the following firewall rule:
It worked as expected.
If it is possible to restrict the allowed source address (other than 0/0) that
would be good.
Lonnie
On Jul 28, 2017, at 5:32 AM, d...@ryson.org wrote:
> Hi Lonnie,
>
> Thanks for the prompt reply and detailed insight. We'll circle back with
> feedback on our findings, as requested.
>
> For what it's worth, we've had similar discussions with this client about
> reliance on FTP. They're slowly replacing it with secure protocols but
> progress is slow.
>
> Dan
>
> -----Original Message-----
> From: "Lonnie Abelbeck" <li...@lonnie.abelbeck.com>
> Sent: Thursday, July 27, 2017 9:27pm
> To: "AstLinux Users Mailing List" <astlinux-users@lists.sourceforge.net>
> Subject: Re: [Astlinux-users] Port Forwarding FTP
>
> Hi Dan,
>
> My first thought is *don't do that* :-) The FTP credentials are not
> encrypted, easily captured, etc. . Using FTP over a VPN (OpenVPN), or use
> SFTP (TCP 22) would be much better choices.
>
> If you really, really must allow FTP inbound on the external interface when
> AstLinux is a NAT firewall you must use "NAT EXT->LAN" of TCP 21 to your
> internal FTP server. The Linux kernel will automatically apply the FTP helper
> to track the TCP 20 data channel, so only NAT-forward TCP 21 .
>
> Be sure to remove any "Pass EXT->LAN" TCP 21 rules.
>
> Note that "Pass EXT->LAN" is for non-NAT'ed situations when the networks are
> routed, not NAT'ed. For example with IPv6 you would use "Pass EXT->LAN". For
> NAT'ed situations with IPv4 use "NAT EXT->LAN".
>
> Note that with "NAT EXT->LAN" you could make the public TCP port non-standard
> and forward to the standard TCP 21 internally. I've never tried this, as the
> FTP helper has to cooperate, so this may or may not work, also depends on the
> FTP client.
>
> Let us know how it goes.
>
> Lonnie
>
>
>
> On Jul 27, 2017, at 7:44 PM, d...@ryson.org wrote:
>
> > All,
> >
> > I just helped a friend reconfigure an AstLinux installation. Until today,
> > it had been behind a NAT'd router/firewall. This afternoon, we added a NIC
> > card and promoted AstLinux to replace the router/firewall.
> >
> > All the complicated bits worked fine. However, testing revealed that a
> > simple port forwarding to an internal FTP server (port 21) isn't working.
> > The FTP server is working from within the LAN but we can't access it from
> > the Internet. We enabled EXT=>LAN using the web interface and we can see
> > the rule in iptables but it doesn't seem to work.
> >
> > I'd appreciate any troubleshooting suggestions.
> >
> > Thanks,
> >
> > Dan
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
> http://sdm.link/slashdot_______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.