necrodancer
asked on
Port Forwarding
I've been researching over the net on how to do this with no results. Everytime I thought I'd figured it out. It didn't work. So now I've come to my last straw of asking my question here.
I'm currently running a Linux RH6.1 Kernel 2.2.12. I can ping my internal eth1 of 192.168.10.100 and I can ping my external eth0 of w.x.y.z. I can also ping my FTP server of 192.168.10.200. My Problem is I need to keep the FTP server on the internal side of the firewall, and I'm unable to access the FTP Server via port 21. I am aware that the FTP server also has port 20 so just in case I made that routable too. I even relaxed my Firewall rules just to make sure, and lowered it all to just the basic IP Masq'ing.
Is there anyone out there who can point me to a how-to, or something else that might work. I've tried the IP-CHAINS, IP-MASQ HOW-TO's with no luck. I've only noted that for a 2.0 Kernel I need a patch ,which the Howto mentions, on an FTP server for Fred Viles, but it never mentions where the FTP server is, and that's only for a 2.0 Kernel.
Someone please help me in this bind. I greatly Appreciate all help. Thank you.
I'm currently running a Linux RH6.1 Kernel 2.2.12. I can ping my internal eth1 of 192.168.10.100 and I can ping my external eth0 of w.x.y.z. I can also ping my FTP server of 192.168.10.200. My Problem is I need to keep the FTP server on the internal side of the firewall, and I'm unable to access the FTP Server via port 21. I am aware that the FTP server also has port 20 so just in case I made that routable too. I even relaxed my Firewall rules just to make sure, and lowered it all to just the basic IP Masq'ing.
Is there anyone out there who can point me to a how-to, or something else that might work. I've tried the IP-CHAINS, IP-MASQ HOW-TO's with no luck. I've only noted that for a 2.0 Kernel I need a patch ,which the Howto mentions, on an FTP server for Fred Viles, but it never mentions where the FTP server is, and that's only for a 2.0 Kernel.
Someone please help me in this bind. I greatly Appreciate all help. Thank you.
ASKER
Actually I can ftp internally, but I cannot ftp externally. To explain the situation better; I want people to ftp to address w.x.y.z port 21 (which is my firewall) and be automagically forwarded to a machine on my internal network which is actually hosting the FTP server at ip 192.168.10.200 port 21. I hope this explains better. Though if you need to reach me further I would appreciate it if you contact me via email at neo.phyte@home.com. Thank you in advanced.
I can't think of any good ways to make this work with ipchains. For a moment, I thought you could set up a "reverse-masquerade" situation, but it's the ftp login that takes place on 20/21, the actual transfer is on a randomly-allocated port.
From a security point of view, I'm not all that thrilled with the concept of masquerading an arbitrary IP address on an internal network; It sounds like trouble.
How about setting up the ftp server on the Linux box, and using Samba to mount the directories that your internal ftp server is trying to make available?
From a security point of view, I'm not all that thrilled with the concept of masquerading an arbitrary IP address on an internal network; It sounds like trouble.
How about setting up the ftp server on the Linux box, and using Samba to mount the directories that your internal ftp server is trying to make available?
if you dont have it get the package ipmasqadm and install it then type this line...It will need to be executed each time the pc reboots so you can put it in your rc.local file
/usr/sbin/ipmasqadm autofw -A -r tcp 20 21 -h 192.168.10.200
/usr/sbin/ipmasqadm autofw -A -r tcp 20 21 -h 192.168.10.200
You may need to recompile your kernel. The man page for ipmasqadm indicates you need the following modules compilled in:
CONFIG_EXPERIMENTAL=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_MOD=y
and
CONFIG_IP_MASQUERADE_IPAUT
CONFIG_IP_MASQUERADE_IPPOR
CONFIG_IP_MASQUERADE_MFW=y
I still say it's easier to just have the Linux box act as an FTP server of the same files, but the ipmasqadm concept is worth a try.
CONFIG_EXPERIMENTAL=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_MOD=y
and
CONFIG_IP_MASQUERADE_IPAUT
CONFIG_IP_MASQUERADE_IPPOR
CONFIG_IP_MASQUERADE_MFW=y
I still say it's easier to just have the Linux box act as an FTP server of the same files, but the ipmasqadm concept is worth a try.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please post the output of the ifconfig and route -n commands.
Assuming we don't have a routing problem (your ping experience tends to confirm routing as OK), I would make sure you are loading the ftp IP masquerade module. Try adding this line to your /etc/rc.local file:
/usr/bin/find /lib/modules/*/ipv4/*masq*
This attacks the problem of masquerade modules via the shotgun method; it must loads 'em all. It might help to confirm that you have ip_masq_ftp.o in the ./ipv4 directory where your modules are located.