Re: [CentOS] vsFTP and shorewall
Thanks very much! I modified the shorewall settings, but still cannot forward those ports. Now I'm open the port 2121 and on shorewall, then use "rinetd" to forward TCP request: Gateway -> 192.168.1.231:22 Gateway 2121 -> 192.168.1.231:21 Gateway 6000 - 6010-> 192.168.1.231:6000 - 6010 Both SSH and FTP works. I will upgrade the system to CentOS 6.3 next month. At 2012-09-30 05:18:34,"Gordon Messmer" wrote: >On 09/27/2012 01:58 AM, muiz wrote: >> 1. Gateway (FC6) >>1.1) eth0: lan static IP: 192.168.1.20 >>1.2) eth1: external public static IP: 113.89.142.80 >>2.3) Shorewall-3.2.8 is running > >This is extremely old, and you are allowing access to SSH and DNS >services on the firewall itself. ISC Bind, at least, has security >problems that should be patched. I strongly recommend that you upgrade >this system. > >> 3. I want to forward internet access FTP and SSH to FTP Server: >> 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp(FTP) >> 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP) >> 3.3) 113.89.142.80: -> 192.168.1.231:22 tcp (SSH) > >One: FTP doesn't use UDP, regardless of what you see in the services >file. You don't need to forward UDP. > >Two: Port 20 is used for outbound connections from an active mode FTP >server. You don't need to forward port 20 in to your server, ever. > >> 4. Shorewall settings: >> 4.1 interfaces >>#ZONE INTERFACE BROADCAST OPTIONS >>net eth1 113.89.142.255 norfc1918,arp_filte >>lan eth0detect arp_filter >>ovpntun0- >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > >Although it doesn't make much difference, you typically don't need to >specify your broadcast address. > >> 4.4 rules >> #SECTION RELATED >> SECTION NEW >> ACCEPT all fw tcp ftp <<< it works for local FTP >> service (tested) >> ACCEPT all fw udp ftp <<< it works for local FTP >> service >> ACCEPT all fw tcp >> ACCEPT all fw tcp ssh,domain >> Ping/ACCEPT net fw >> ACCEPT all fw tcp 5222 >> ACCEPT all fw udp 5222 >> ACCEPT:info all $FW tcp 22 >> DNATnet lan:192.168.1.231 tcp 21 >> DNATnet lan:192.168.1.231 udp20 >> DNATnet lan:192.168.1.231:22 tcp >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > >Your ACCEPT rules are blocking your DNAT rules. They're not needed. > >I've never actually seen the Ping/ACCEPT syntax before, so I'm going to >assume that entry is correct. It doesn't exist in Shorewall 4+. > >Your rules should contain only this (assuming you're actually running an >XMPP server on your firewall): > >Ping/ACCEPTnet fw >ACCEPT:infoall fw tcp 22 >ACCEPT all fw tcp domain >ACCEPT all fw udp domain >ACCEPT all fw tcp 5222 >DNAT net lan:192.168.1.231 tcp 21 >DNAT net lan:192.168.1.231:22tcp > >___ >CentOS mailing list >CentOS@centos.org >http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vsFTP and shorewall
On 09/27/2012 01:58 AM, muiz wrote: > 1. Gateway (FC6) >1.1) eth0: lan static IP: 192.168.1.20 >1.2) eth1: external public static IP: 113.89.142.80 >2.3) Shorewall-3.2.8 is running This is extremely old, and you are allowing access to SSH and DNS services on the firewall itself. ISC Bind, at least, has security problems that should be patched. I strongly recommend that you upgrade this system. > 3. I want to forward internet access FTP and SSH to FTP Server: > 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp(FTP) > 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP) > 3.3) 113.89.142.80: -> 192.168.1.231:22 tcp (SSH) One: FTP doesn't use UDP, regardless of what you see in the services file. You don't need to forward UDP. Two: Port 20 is used for outbound connections from an active mode FTP server. You don't need to forward port 20 in to your server, ever. > 4. Shorewall settings: > 4.1 interfaces >#ZONE INTERFACE BROADCAST OPTIONS >net eth1 113.89.142.255 norfc1918,arp_filte >lan eth0detect arp_filter >ovpntun0- > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Although it doesn't make much difference, you typically don't need to specify your broadcast address. > 4.4 rules > #SECTION RELATED > SECTION NEW > ACCEPT all fw tcp ftp <<< it works for local FTP > service (tested) > ACCEPT all fw udp ftp <<< it works for local FTP > service > ACCEPT all fw tcp > ACCEPT all fw tcp ssh,domain > Ping/ACCEPT net fw > ACCEPT all fw tcp 5222 > ACCEPT all fw udp 5222 > ACCEPT:info all $FW tcp 22 > DNATnet lan:192.168.1.231 tcp 21 > DNATnet lan:192.168.1.231 udp20 > DNATnet lan:192.168.1.231:22 tcp > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Your ACCEPT rules are blocking your DNAT rules. They're not needed. I've never actually seen the Ping/ACCEPT syntax before, so I'm going to assume that entry is correct. It doesn't exist in Shorewall 4+. Your rules should contain only this (assuming you're actually running an XMPP server on your firewall): Ping/ACCEPT net fw ACCEPT:info all fw tcp 22 ACCEPT all fw tcp domain ACCEPT all fw udp domain ACCEPT all fw tcp 5222 DNATnet lan:192.168.1.231 tcp 21 DNATnet lan:192.168.1.231:22tcp ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vsFTP and shorewall
thanks very much. JD I study this FAQ 1a/1b before. but still failed:( 在 2012-09-27 21:51:32,"John Doe" 写道: >From: muiz > >> Sorry to trouble you! I configure the shorewall firewall to forward ftp >> and >> ssh port to another server, but failed. Can you help me check? >> I cannot login both SSH and ftp! > >http://www.shorewall.net/FAQ.htm#faq1a > >JD >___ >CentOS mailing list >CentOS@centos.org >http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vsFTP and shorewall
From: muiz > Sorry to trouble you! I configure the shorewall firewall to forward ftp > and > ssh port to another server, but failed. Can you help me check? > I cannot login both SSH and ftp! http://www.shorewall.net/FAQ.htm#faq1a JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vsFTP and shorewall
Am 27.09.2012 um 10:58 schrieb muiz: > Dear support and users: > Sorry to trouble you! I configure the shorewall firewall to forward ftp and > ssh port to another server, but failed. Can you help me check? > I cannot login both SSH and ftp! > Below is my environment: (attachment is shorewall dump) what about the shorewall mailing list? -- LF ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] vsFTP and shorewall
Dear all, Dear support and users: Sorry to trouble you! I configure the shorewall firewall to forward ftp and ssh port to another server, but failed. Can you help me check? I cannot login both SSH and ftp! Below is my environment: (attachment is shorewall dump) 1. Gateway (FC6) 1.1) eth0: lan static IP: 192.168.1.20 1.2) eth1: external public static IP: 113.89.142.80 2.3) Shorewall-3.2.8 is running 2. FTP Server: (Centos63, iptables and selinux are off) 2.1) eth0: lan static IP: 192.168.1.231 2.2) Open SSH port 22 and FTP port 20, 21 already (tested) 2.3) vsftp.conf : use default settings and it works for internal users 3. I want to forward internet access FTP and SSH to FTP Server: 3.1) 113.89.142.80: 20 -> 192.168.1.231:20 udp(FTP) 3.2) 113.89.142.80: 21 -> 192.168.1.231:21 tcp (FTP) 3.3) 113.89.142.80: -> 192.168.1.231:22 tcp (SSH) 4. Shorewall settings: 4.1 interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 113.89.142.255 norfc1918,arp_filte lan eth0detect arp_filter ovpntun0- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 4.2 zones #ZONE TYPEOPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 lan ipv4 ovpnipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE 4.3 policy #SOURCE DESTPOLICY LOG LIMIT:BURST # LEVEL fw all ACCEPT lan net ACCEPT lan fw ACCEPT lan ovpnACCEPT ovpnlan ACCEPT net all DROP all all REJECT #LAST LINE -- DO NOT REMOVE 4.4 rules #SECTION RELATED SECTION NEW ACCEPT all fw tcp ftp <<< it works for local FTP service (tested) ACCEPT all fw udp ftp <<< it works for local FTP service ACCEPT all fw tcp ACCEPT all fw tcp ssh,domain Ping/ACCEPT net fw ACCEPT all fw tcp 5222 ACCEPT all fw udp 5222 ACCEPT:info all $FW tcp 22 DNATnet lan:192.168.1.231 tcp 21 DNATnet lan:192.168.1.231 udp20 DNATnet lan:192.168.1.231:22 tcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 5. # cat /proc/sys/net/ipv4/ip_forward 1 6. more /etc/sysconfig/iptables-config IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp" Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 3 156 DNAT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:21 to:192.168.1.231 0 0 DNAT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:20 to:192.168.1.231 5 260 DNAT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt: to:192.168.1.231:22 do you know what's wrong? Thanks and best regards! Muiz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos