HPE Community
Operating System - Linux
1830225 Members
1577 Online
109999 Solutions
New Discussion

iptables question

 
Marco_113
Frequent Advisor

‎05-07-2006 10:19 PM

‎05-07-2006 10:19 PM

iptables question

Hi all
I've a linux box with only one NIC.
Say that linu box public IP is x.x.x.120.

Now i need to forward the ftp traffic to the public IP to an internal IP of another server.

The linux box is not connected directly to the LAN of the internal server, but with another firewall.

Is possible to NAT to the internal server without direct connection to the internal LAN??
Thanks
0 Kudos
Reply
5 REPLIES 5
Marius Pana_1
Regular Advisor

‎05-07-2006 11:49 PM

‎05-07-2006 11:49 PM

Re: iptables question

It all depends on the other server. I assume the other server also has a "public" IP so you should be able to forward to that IP. You can then do (D)NAT on that server to the box inside the LAN.

"The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do it yourself'. Yes, that's it." --Linus Torvalds
0 Kudos
Reply
Marco_113
Frequent Advisor

‎05-08-2006 01:14 AM

‎05-08-2006 01:14 AM

Re: iptables question

No the server ftp is on an internal network.
The linux box is connected to the internal LAN with a firewall.

The problem is that i cannot route on the same nic!!

Does anyone know if ther's a software (squid like) to configure ftp reverse proxy??


0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎05-08-2006 01:38 AM

‎05-08-2006 01:38 AM

Re: iptables question

Probably, you can do this with an IP tunnel. There are different options to do this, including openvpn and ssh tunnel. The tunnel should cross the firewall connection, and maybe this is not desirable. Ftp is a multiport protocol and this is the major problem.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

‎05-08-2006 05:35 AM

‎05-08-2006 05:35 AM

Re: iptables question

There is an FTP helper module for connection
tracking. Routeback out the same interface
is possbile but needs to enabled.

Look at the documentation for shorewall.
It may contain an example close enough
to what you want to do, although it
is complicated by the additional firewall.

You may be better to mirror the FTP content
on the frontend server. This can be done
with rsync over ssh.
0 Kudos
Reply
Manuel Wolfshant
Trusted Contributor

‎05-08-2006 11:43 AM

‎05-08-2006 11:43 AM

Re: iptables question

You can do that.

First of all, as it has already been pointed out, you must make sure the ip_conntrack_ftp module is loaded.
Second, you need in the firewall a rule similar to
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT.
This rule would trigger on the data channel (ftp uses two channels, a command channel on port 21 and a data channel which can either be on port 20 or a dynamically negociated high port, depending on the type - active or passive - of the ftp connection)
You will also need the following rule:
iptables -A PREROUTING -t nat -d x.x.x.120 --dport 21 -j DNAT --to IP_of_real_server

You also must make sure that
- the routing part is 100% OK. That is, packets sent via the NIC do go to the real server, via the firewall. Yes, you can do that with only one NIC but please read the security comment from the end of my reply
- the second firewall will allow this packets to pass thru
- the replies from the real server will not go directly to the clients which started the ftp session, but via the x.x.x.120 linux box. The reason is that a) the clients expect replies to come from the server they have sent the request to (that is x.x.x.120). Packets coming from any other IP will be discarded by the clients and b) the connection tracking module of the linux box will take care of modifying the source IP in the reply packets, so as to make the clients believe they are talking only with the linux box.

Security comment: since you are using the external/public interface for packets going to an internal server, you actually make public part of your internal traffic. This is something you definitely should NOT do. From a security point of view, correct approaches are
- either add a second NIC and connect that one to the second firewall or
- create a tunnel between the servers and encrypt all communication between them.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.