October 12, 2008 05:56am pdt

My Account

Top 15 Experts

Overall Top Experts

1ahoffmann 187,026
2ravenpl 106,402
3jlevie 95,810
4kblack05 65,801
5Redimido 58,376
6noci 46,213
7shakoush... 41,887
8Blaz 41,333
9xDamox 32,605
10omarfarid 32,079
11wesly_c... 31,085
12Nopius 30,150
13decoleur 28,923
14XoF 28,530
15Tintin 24,955

	[x] Attachment Details

How to route FTP via DMZ with iptables?

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

4.8

Zones: Linux Network Security, Linux Networking, Network Software Firewalls

Tags: Linux, iptables and vsftp, kernel 2.6, DMZ routing passive FTP

My Linux firewall has 3 interfaces eth0 to Internet, eth1 to local LAN (192.168.1.0/24) and eth2 to DMZ (192.168.2.0/24)
In the DMZ area I have a FTP server (192.168.2.253). The FTP server in the DMZ and the Linux Firewall (192.168.1.254) has iptables enabled.

FTP is working from the local network (192.168.1.0/24) to the FTP server in DMZ.
I added these lines to iptables on the firewall (192.168.1.254)

# Network 1 forwarded outgoing client request to network 2 (DMZ 1)
iptables -A FORWARD -i eth1 -p tcp -s 192.168.1.0/24 -d 192.168.2.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp -s 192.168.2.0/24 -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

The FTP server in the DMZ is accepting all incoming requests, active and passive

But connection from the Internet fails just after a successful logon.

I addes these lines to iptables on the firewall (192.168.1.254)

# Network 1 FTP forwarded incoming client request
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d 192.168.254.2 --dport 21 -j DNAT --to 192.168.2.253
iptables -A network2_in -p tcp -s 0/0 --sport 1024:65535 -d 192.168.2.253 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A network2_out -p tcp -s 192.168.2.253 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A network2_in -p tcp -s 0/0 --sport 1024:65535 -d 192.168.2.253 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A network2_out -p tcp -s 192.168.2.253 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

This is what happened when connection to the FTP server in DMZ over the Internet:

H:\>ftp ftp.xxxxx.eu
Verbonden met ftp.xxxxx.eu.
220 Armada Linux FTP server ready
Gebruiker (ftp.xxxxx.eu:(none)): xxxxx
331 Please specify the password.
Wachtwoord:
230 Login successful.
ftp> ls
500 Illegal PORT command.
425 Use PORT or PASV first.
ftp> quote PASV
227 Entering Passive Mode (192,168,254,2,243,17)
ftp> ls
425 Failed to establish connection.
ftp>

The logon is successful but ftp-data exchange fails.

my vsftp.conf file:

# /etc/vsftpd.conf: OpenNA, Inc. (last updated 2007 Jan 09)
#
# LOCAL USERS FTP ACCESS CONFIGURATION BEGING HERE
# ------------------------------------------------
# Please, remove all configurations below, if you don't want to provide
# local users FTP access on your server.

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=002
max_clients=100
max_per_ip=10
listen=YES
xferlog_enable=YES
connect_from_port_20=YES
one_process_model=NO
use_localtime=YES
nopriv_user=ftp
ftpd_banner=Armada Linux FTP server ready
chroot_local_user=YES
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=65535
log_ftp_protocol=YES

Could you shine a light on this?

Bob

	#	Title
	1	iptables ftpd
	2	IPTables, DNAT, SSH forwarding - …
	3	iptables routing troubles
	4	IPTables
	5	impossible to forward port 8080 an…
	6	Simple iptables ruleset with port 80 fo…