NAT FTP (was: Iptables and ipsec)
Steve Moro
steve.moro@home.com
Sun, 30 Jul 2000 17:48:59 -0400
Client (Windows/Unix)
|
|
Internet
|
|
Firewall (Linux IPTABLES)
|
|
FTP Server (Win2000)
What I want to have happen is secure FTP so I want the client to create an
ISPEC tunnel via the internet through the firewall to the ftp server. (Is
this possible and if YES how do I do that if it is not to much to ask?)
I hope I have clarified things for you now.. If I am doing something wrong
or if I am approaching this in a wrong way please let me know.
Thanks
Steve
> -----Original Message-----
> From: Richard Guy Briggs [mailto:rgb@conscoop.ottawa.on.ca]
> Sent: Sunday, July 30, 2000 9:49 AM
> To: Steve Moro
> Cc: Andre' Breiler; Multiple recipients of list NETFILTER
> Subject: Re: NAT FTP (was: Iptables and ipsec)
>
>
> On Sat, Jul 29, 2000 at 10:38:43PM -0400, Steve Moro wrote:
> > This is the configuration I am playing with:
> > 1) Linux IPTABLES firewall connected to internet and DMZ
> > 2) Windows 2000 machine in the DMZ running FTP
> >
> > What I want the external clients to do is create a IPSEC VPN
> tunnel to the
> > FTP machine in the DMZ and transfer securely to this machine.
> (Therefore I
> > need to NAT the FTP traffic to the DMZ machine and also the
> IPSEC packets.)
> >
> > Is there a better way of doing this? If there is I would
> greatly appreciate
> > any feedback.
>
> It is not clear what you want. IPSEC and NAT are fundamentally at
> odds with each other. It sounds as though you are confusing the term
> 'DMZ', which is the area *outside* a firewall. Please draw us your
> topology.
>
> > Steve
> >
> > > -----Original Message-----
> > > From: netfilter-admin@samba.org [mailto:netfilter-admin@samba.org]On
> > > Behalf Of Andre' Breiler
> > > Sent: Saturday, July 29, 2000 5:05 PM
> > > To: Steve Moro
> > > Cc: Multiple recipients of list NETFILTER
> > > Subject: NAT FTP (was: Iptables and ipsec)
> > >
> > >
> > > On Sat, 29 Jul 2000, Steve Moro wrote:
> > >
> > > > What are the rules so I can NAT FTP..
> > > >
> > > > iptables -A INPUT -i $EXT_IF -p tcp -d $EXT_IP --dport 21 -j ACCEPT
> > > > iptables -A OUTPUT -o $EXT_IF -p tcp -d $EXT_IP --sport 20 -j ACCEPT
> > > > iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 21 \
> > > > -j DNAT --to 172.16.0.1:21
> > >
> > > Looks strange to me.
> > > What's your intention behind this ?
> > > Would you forward FTP access from externel clients to your
> internal FTP
> > > server ?
> > > If I'm right try this:
> > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP
> --dport 21 \
> > > -j ACCEPT
> > > iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP
> --sport 21 \
> > > -j ACCEPT
> > > iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF
> --dport 21 \
> > > -j DNAT --to 172.16.0.1
> > >
> > > now the data path (active ftp)
> > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP
> --dport 20 \
> > > -j ACCEPT
> > > iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP
> --sport 20 \
> > > -j ACCEPT
> > >
> > > passive ftp
> > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP \
> > > --dport 1024:65535 --sport 1024:65535 -j ACCEPT
> > > iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP \
> > > --dport 1024:65535 --sport 1024:65535 -j ACCEPT
> > >
> > > You have to load module ip_conntrack_ftp.
> > > NOTE: You should use "-m state ESTABLISHED,RELATED ..."
> because the above
> > > is more a joke than secure (but it should work).
> > >
> > > Bye Andre'
>
> slainte mhath, RGB
> --
> Richard Guy Briggs -- PGP key available Auto-Free
> Ottawa! Canada
> <www.conscoop.ottawa.on.ca/rgb/>
> <www.flora.org/afo/>
> Prevent Internet Wiretapping! --
> FreeS/WAN:<www.freeswan.org>
> Thanks for voting Green! -- <green.ca>
> Marillion:<www.marillion.co.uk>
>