Re: [CentOS] vsFTP and shorewall

2012-09-30 Thread muiz
Thanks very much!
I modified the shorewall settings, but still cannot forward those ports.

Now I'm open the port 2121 and  on shorewall, then use "rinetd" to forward 
TCP request:
Gateway  ->  192.168.1.231:22
Gateway 2121 ->  192.168.1.231:21
Gateway 6000 - 6010->  192.168.1.231:6000 - 6010
Both SSH and FTP works.

I will upgrade the system to CentOS 6.3 next month.


At 2012-09-30 05:18:34,"Gordon Messmer"  wrote:
>On 09/27/2012 01:58 AM, muiz wrote:
>> 1. Gateway (FC6)
>>1.1) eth0:  lan static IP:  192.168.1.20
>>1.2) eth1:  external public static IP:  113.89.142.80
>>2.3) Shorewall-3.2.8 is running
>
>This is extremely old, and you are allowing access to SSH and DNS 
>services on the firewall itself.  ISC Bind, at least, has security 
>problems that should be patched.  I strongly recommend that you upgrade 
>this system.
>
>> 3. I want to forward internet access FTP and SSH to FTP Server:
>>   3.1)  113.89.142.80: 20   -> 192.168.1.231:20  udp(FTP)
>>   3.2)  113.89.142.80: 21   -> 192.168.1.231:21  tcp (FTP)
>>   3.3)  113.89.142.80:    -> 192.168.1.231:22  tcp  (SSH)
>
>One: FTP doesn't use UDP, regardless of what you see in the services 
>file.  You don't need to forward UDP.
>
>Two: Port 20 is used for outbound connections from an active mode FTP 
>server.  You don't need to forward port 20 in to your server, ever.
>
>> 4. Shorewall settings:
>>  4.1 interfaces
>>#ZONE   INTERFACE   BROADCAST   OPTIONS
>>net eth1 113.89.142.255 norfc1918,arp_filte
>>lan eth0detect  arp_filter
>>ovpntun0-
>>   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>Although it doesn't make much difference, you typically don't need to 
>specify your broadcast address.
>
>>  4.4 rules
>>  #SECTION RELATED
>> SECTION NEW
>> ACCEPT  all fw  tcp ftp   <<< it works for local FTP 
>> service (tested)
>> ACCEPT  all fw  udp ftp  <<< it works for local FTP 
>> service
>> ACCEPT  all fw  tcp 
>> ACCEPT  all fw  tcp ssh,domain
>> Ping/ACCEPT net fw
>> ACCEPT  all fw  tcp 5222
>> ACCEPT  all fw  udp 5222
>> ACCEPT:info all $FW tcp 22
>> DNATnet lan:192.168.1.231  tcp 21
>> DNATnet lan:192.168.1.231   udp20
>> DNATnet lan:192.168.1.231:22   tcp 
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>Your ACCEPT rules are blocking your DNAT rules.  They're not needed.
>
>I've never actually seen the Ping/ACCEPT syntax before, so I'm going to 
>assume that entry is correct.  It doesn't exist in Shorewall 4+.
>
>Your rules should contain only this (assuming you're actually running an 
>XMPP server on your firewall):
>
>Ping/ACCEPTnet fw
>ACCEPT:infoall fw  tcp 22
>ACCEPT all fw  tcp domain
>ACCEPT all fw  udp domain
>ACCEPT all fw  tcp 5222
>DNAT   net lan:192.168.1.231   tcp 21
>DNAT   net lan:192.168.1.231:22tcp 
>
>___
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] vsFTP and shorewall

2012-09-29 Thread Gordon Messmer
On 09/27/2012 01:58 AM, muiz wrote:
> 1. Gateway (FC6)
>1.1) eth0:  lan static IP:  192.168.1.20
>1.2) eth1:  external public static IP:  113.89.142.80
>2.3) Shorewall-3.2.8 is running

This is extremely old, and you are allowing access to SSH and DNS 
services on the firewall itself.  ISC Bind, at least, has security 
problems that should be patched.  I strongly recommend that you upgrade 
this system.

> 3. I want to forward internet access FTP and SSH to FTP Server:
>   3.1)  113.89.142.80: 20   -> 192.168.1.231:20  udp(FTP)
>   3.2)  113.89.142.80: 21   -> 192.168.1.231:21  tcp (FTP)
>   3.3)  113.89.142.80:    -> 192.168.1.231:22  tcp  (SSH)

One: FTP doesn't use UDP, regardless of what you see in the services 
file.  You don't need to forward UDP.

Two: Port 20 is used for outbound connections from an active mode FTP 
server.  You don't need to forward port 20 in to your server, ever.

> 4. Shorewall settings:
>  4.1 interfaces
>#ZONE   INTERFACE   BROADCAST   OPTIONS
>net eth1 113.89.142.255 norfc1918,arp_filte
>lan eth0detect  arp_filter
>ovpntun0-
>   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Although it doesn't make much difference, you typically don't need to 
specify your broadcast address.

>  4.4 rules
>  #SECTION RELATED
> SECTION NEW
> ACCEPT  all fw  tcp ftp   <<< it works for local FTP 
> service (tested)
> ACCEPT  all fw  udp ftp  <<< it works for local FTP 
> service
> ACCEPT  all fw  tcp 
> ACCEPT  all fw  tcp ssh,domain
> Ping/ACCEPT net fw
> ACCEPT  all fw  tcp 5222
> ACCEPT  all fw  udp 5222
> ACCEPT:info all $FW tcp 22
> DNATnet lan:192.168.1.231  tcp 21
> DNATnet lan:192.168.1.231   udp20
> DNATnet lan:192.168.1.231:22   tcp 
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Your ACCEPT rules are blocking your DNAT rules.  They're not needed.

I've never actually seen the Ping/ACCEPT syntax before, so I'm going to 
assume that entry is correct.  It doesn't exist in Shorewall 4+.

Your rules should contain only this (assuming you're actually running an 
XMPP server on your firewall):

Ping/ACCEPT net fw
ACCEPT:info all fw  tcp 22
ACCEPT  all fw  tcp domain
ACCEPT  all fw  udp domain
ACCEPT  all fw  tcp 5222
DNATnet lan:192.168.1.231   tcp 21
DNATnet lan:192.168.1.231:22tcp 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] vsFTP and shorewall

2012-09-27 Thread muiz
thanks very much.  JD
I study this FAQ 1a/1b  before.  but still failed:(


在 2012-09-27 21:51:32,"John Doe"  写道:
>From: muiz 
>
>>    Sorry to trouble you! I configure the shorewall firewall to forward ftp 
>> and 
>> ssh port to another server, but failed. Can you help me check?
>>    I cannot login both SSH  and ftp!
>
>http://www.shorewall.net/FAQ.htm#faq1a
>
>JD
>___
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] vsFTP and shorewall

2012-09-27 Thread John Doe
From: muiz 

>    Sorry to trouble you! I configure the shorewall firewall to forward ftp 
> and 
> ssh port to another server, but failed. Can you help me check?
>    I cannot login both SSH  and ftp!

http://www.shorewall.net/FAQ.htm#faq1a

JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] vsFTP and shorewall

2012-09-27 Thread Leon Fauster
Am 27.09.2012 um 10:58 schrieb muiz:

> Dear support and users:
>   Sorry to trouble you! I configure the shorewall firewall to forward ftp and 
> ssh port to another server, but failed. Can you help me check?
>   I cannot login both SSH  and ftp!
>   Below is my environment:  (attachment is shorewall dump)  



what about the shorewall mailing list?

--
LF



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[CentOS] vsFTP and shorewall

2012-09-27 Thread muiz
 Dear all, 


Dear support and users:
   Sorry to trouble you! I configure the shorewall firewall to forward ftp and 
ssh port to another server, but failed. Can you help me check?
   I cannot login both SSH  and ftp!
   Below is my environment:  (attachment is shorewall dump)  


1. Gateway (FC6)  
  1.1) eth0:  lan static IP:  192.168.1.20
  1.2) eth1:  external public static IP:  113.89.142.80
  2.3) Shorewall-3.2.8 is running


2. FTP Server: (Centos63, iptables and selinux are off) 
  2.1) eth0:  lan static IP: 192.168.1.231
  2.2) Open SSH port 22 and FTP port 20, 21 already (tested)
  2.3) vsftp.conf : use default settings  and it works for internal users


3. I want to forward internet access FTP and SSH to FTP Server:
 3.1)  113.89.142.80: 20   -> 192.168.1.231:20  udp(FTP)
 3.2)  113.89.142.80: 21   -> 192.168.1.231:21  tcp (FTP)
 3.3)  113.89.142.80:    -> 192.168.1.231:22  tcp  (SSH)


4. Shorewall settings:
4.1 interfaces
  #ZONE   INTERFACE   BROADCAST   OPTIONS
  net eth1 113.89.142.255 norfc1918,arp_filte
  lan eth0detect  arp_filter
  ovpntun0-
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
   4.2 zones
   #ZONE   TYPEOPTIONS IN  OUT
  #   OPTIONS 
OPTIONS
  fw  firewall
  net ipv4
  lan ipv4
   ovpnipv4
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
   4.3 policy
#SOURCE DESTPOLICY  LOG 
LIMIT:BURST
#   LEVEL
fw  all ACCEPT
lan net ACCEPT
lan fw  ACCEPT
lan ovpnACCEPT
ovpnlan ACCEPT
net all DROP
all all REJECT
#LAST LINE -- DO NOT REMOVE
4.4 rules
#SECTION RELATED
SECTION NEW
ACCEPT  all fw  tcp ftp   <<< it works for local FTP 
service (tested)
ACCEPT  all fw  udp ftp  <<< it works for local FTP 
service
ACCEPT  all fw  tcp 
ACCEPT  all fw  tcp ssh,domain
Ping/ACCEPT net fw
ACCEPT  all fw  tcp 5222
ACCEPT  all fw  udp 5222
ACCEPT:info all $FW tcp 22
DNATnet lan:192.168.1.231  tcp 21
DNATnet lan:192.168.1.231   udp20
DNATnet lan:192.168.1.231:22   tcp 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


  5. # cat /proc/sys/net/ipv4/ip_forward
  1


  6. more /etc/sysconfig/iptables-config
  IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp"


Chain net_dnat (1 references)
 pkts bytes target prot opt in out source   destination
3   156 DNAT   tcp  --  *  *   0.0.0.0/00.0.0.0/0   
tcp dpt:21 to:192.168.1.231
0 0 DNAT   udp  --  *  *   0.0.0.0/00.0.0.0/0   
udp dpt:20 to:192.168.1.231
5   260 DNAT   tcp  --  *  *   0.0.0.0/00.0.0.0/0   
tcp dpt: to:192.168.1.231:22


do you know what's wrong?


Thanks and best regards!
Muiz

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos