topic Re: iptables question in Operating System - Linux

iptables question

Marco_113 — Mon, 08 May 2006 05:19:57 GMT

Hi all
I've a linux box with only one NIC.
Say that linu box public IP is x.x.x.120.

Now i need to forward the ftp traffic to the public IP to an internal IP of another server.

The linux box is not connected directly to the LAN of the internal server, but with another firewall.

Is possible to NAT to the internal server without direct connection to the internal LAN??
Thanks

Re: iptables question

Marius Pana_1 — Mon, 08 May 2006 06:49:29 GMT

It all depends on the other server. I assume the other server also has a "public" IP so you should be able to forward to that IP. You can then do (D)NAT on that server to the box inside the LAN.

Re: iptables question

Marco_113 — Mon, 08 May 2006 08:14:12 GMT

No the server ftp is on an internal network.
The linux box is connected to the internal LAN with a firewall.

The problem is that i cannot route on the same nic!!

Does anyone know if ther's a software (squid like) to configure ftp reverse proxy??

Re: iptables question

Ivan Ferreira — Mon, 08 May 2006 08:38:22 GMT

Probably, you can do this with an IP tunnel. There are different options to do this, including openvpn and ssh tunnel. The tunnel should cross the firewall connection, and maybe this is not desirable. Ftp is a multiport protocol and this is the major problem.

Re: iptables question

Bill Thorsteinson — Mon, 08 May 2006 12:35:22 GMT

There is an FTP helper module for connection
tracking. Routeback out the same interface
is possbile but needs to enabled.

Look at the documentation for shorewall.
It may contain an example close enough
to what you want to do, although it
is complicated by the additional firewall.

You may be better to mirror the FTP content
on the frontend server. This can be done
with rsync over ssh.

Re: iptables question

Manuel Wolfshant — Mon, 08 May 2006 18:43:37 GMT

You can do that.

First of all, as it has already been pointed out, you must make sure the ip_conntrack_ftp module is loaded.
Second, you need in the firewall a rule similar to
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT.
This rule would trigger on the data channel (ftp uses two channels, a command channel on port 21 and a data channel which can either be on port 20 or a dynamically negociated high port, depending on the type - active or passive - of the ftp connection)
You will also need the following rule:
iptables -A PREROUTING -t nat -d x.x.x.120 --dport 21 -j DNAT --to IP_of_real_server

You also must make sure that
- the routing part is 100% OK. That is, packets sent via the NIC do go to the real server, via the firewall. Yes, you can do that with only one NIC but please read the security comment from the end of my reply
- the second firewall will allow this packets to pass thru
- the replies from the real server will not go directly to the clients which started the ftp session, but via the x.x.x.120 linux box. The reason is that a) the clients expect replies to come from the server they have sent the request to (that is x.x.x.120). Packets coming from any other IP will be discarded by the clients and b) the connection tracking module of the linux box will take care of modifying the source IP in the reply packets, so as to make the clients believe they are talking only with the linux box.

Security comment: since you are using the external/public interface for packets going to an internal server, you actually make public part of your internal traffic. This is something you definitely should NOT do. From a security point of view, correct approaches are
- either add a second NIC and connect that one to the second firewall or
- create a tunnel between the servers and encrypt all communication between them.