NAT FTP (was: Iptables and ipsec)

Richard Guy Briggs rgb@conscoop.ottawa.on.ca
Sun, 30 Jul 2000 23:20:39 -0400 

--Pz/qqzCPDfGwIFOg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jul 30, 2000 at 05:48:59PM -0400, Steve Moro wrote:
> Client  (Windows/Unix)
>   |
>   |
> Internet
>   |
>   |
> Firewall (Linux IPTABLES)
>   |
>   |
> FTP Server (Win2000)
>=20
> What I want to have happen is secure FTP so I want the client to create an
> ISPEC tunnel via the internet through the firewall to the ftp server. (Is
> this possible and if YES how do I do that if it is not to much to ask?)

Is the address of the FTP server routable or non-routable?  This
matters if you want a tunnel from the Client directly to the FTP
server.=20

If your FTP server is a routable address, then it is quite
straightforward.  You simply permit bidirectional FORWARD connections
on protocol UDP(17)/500, ESP(50) and AH(51) from anywhere (or only
your Client) to your FTP server.

NAT will break an IPSEC tunnel.  If your FTP server is a
non-routable address then you cannot set up a connection directly to
your FTP server, but must set up an IPSEC tunnel to your Firewall
(which must be running IPSEC in this case) and set up the server end
of the tunnel to talk to the degenerate subnet of the FTP server host.
This implies that you trust your Firewall and your network behind it
with your FTP server traffic contents.
In this case, you would permit bidirectional connections on protocol
UDP(17)/500, ESP(50) and AH(51) from anywhere (or your Client only) to
the Firewall on the external I/F, then permit connections from
anywhere to your FTP server on port 21 after you have done DNAT to the
packet to mangle it only on the internal I/F.  (This explanation
probably seems ipfwadm-centric because that is mostly what I have used
so far, but am starting to familiarise myself with NetFilter to make
FreeS/WAN a loadable module of NetFilter.)

Even if your FTP server is using a routable address, you may want to
filter traffic going directly to it using the firewall, which may mean
setting up an IPSEC tunnel from the FTP client to the firewall and
another from the firewall to the FTP server.

Depending on which IPSEC implementation you use on the firewall, you
may need other rules to allow IPSEC traffic on ipsec virtual I/Fs.

> I hope I have clarified things for you now.. If I am doing something wrong
> or if I am approaching this in a wrong way please let me know.

I hope you have clarified things for yourself now... since you are the
one who has to administer this...

> Steve

> > -----Original Message-----
> > From: Richard Guy Briggs [mailto:rgb@conscoop.ottawa.on.ca]
> > Sent: Sunday, July 30, 2000 9:49 AM
> > To: Steve Moro
> > Cc: Andre' Breiler; Multiple recipients of list NETFILTER
> > Subject: Re: NAT FTP (was: Iptables and ipsec)
> >
> >
> > On Sat, Jul 29, 2000 at 10:38:43PM -0400, Steve Moro wrote:
> > > This is the configuration I am playing with:
> > > 1) Linux IPTABLES firewall connected to internet and DMZ
> > > 2) Windows 2000 machine in the DMZ running FTP
> > >
> > > What I want the external clients to do is create a IPSEC VPN
> > tunnel to the
> > > FTP machine in the DMZ and transfer securely to this machine.
> > (Therefore I
> > > need to NAT the FTP traffic to the DMZ machine and also the
> > IPSEC packets.)
> > >
> > > Is there a better way of doing this? If there is I would
> > greatly appreciate
> > > any feedback.
> >
> > It is not clear what you want.  IPSEC and NAT are fundamentally at
> > odds with each other.  It sounds as though you are confusing the term
> > 'DMZ', which is the area *outside* a firewall.  Please draw us your
> > topology.
> >
> > > Steve
> > >
> > > > -----Original Message-----
> > > > From: netfilter-admin@samba.org [mailto:netfilter-admin@samba.org]On
> > > > Behalf Of Andre' Breiler
> > > > Sent: Saturday, July 29, 2000 5:05 PM
> > > > To: Steve Moro
> > > > Cc: Multiple recipients of list NETFILTER
> > > > Subject: NAT FTP (was: Iptables and ipsec)
> > > >
> > > >
> > > > On Sat, 29 Jul 2000, Steve Moro wrote:
> > > >
> > > > > What are the rules so I can NAT FTP..
> > > > >
> > > > > iptables -A INPUT -i $EXT_IF -p tcp -d $EXT_IP --dport 21 -j ACCE=
PT
> > > > > iptables -A OUTPUT -o $EXT_IF -p tcp -d $EXT_IP --sport 20 -j ACC=
EPT
> > > > > iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 21 \
> > > > >    -j DNAT --to 172.16.0.1:21
> > > >
> > > > Looks strange to me.
> > > > What's your intention behind this ?
> > > > Would you forward FTP access from externel clients to your
> > internal FTP
> > > > server ?
> > > > If I'm right try this:
> > > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP
> > --dport 21 \
> > > > 	-j ACCEPT
> > > > iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP
> > --sport 21 \
> > > > 	-j ACCEPT
> > > > iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF
> > --dport 21 \
> > > > 	-j DNAT --to 172.16.0.1
> > > >
> > > > now the data path (active ftp)
> > > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP
> > --dport 20 \
> > > > 	-j ACCEPT
> > > > iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP
> > --sport 20 \
> > > > 	-j ACCEPT
> > > >
> > > > passive ftp
> > > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP \
> > > > 	--dport 1024:65535 --sport 1024:65535 -j ACCEPT
> > > > iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP \
> > > > 	--dport 1024:65535 --sport 1024:65535 -j ACCEPT
> > > >
> > > > You have to load module ip_conntrack_ftp.
> > > > NOTE: You should use "-m state ESTABLISHED,RELATED ..."
> > because the above
> > > > is more a joke than secure (but it should work).
> > > >
> > > > Bye Andre'
> >
> > 	slainte mhath, RGB

	slainte mhath, RGB
--=20
Richard Guy Briggs -- PGP key available            Auto-Free Ottawa! Canada
<www.conscoop.ottawa.on.ca/rgb/>                       <www.flora.org/afo/>
Prevent Internet Wiretapping!        --        FreeS/WAN:<www.freeswan.org>
Thanks for voting Green! -- <green.ca>      Marillion:<www.marillion.co.uk>

--Pz/qqzCPDfGwIFOg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i

iQCVAwUBOYTwhd+sBuIhFagtAQGKfQP/WnGLDvdPIDanwS95G+vGMzzkNNrUOBFV
SyCu/0uwUOfF73bx/0OZc72VJC1jyojEo21MHQSDi6uVSRlb7tXyQnbyg3V2cdlV
ZJfZQDAlklDkqPUOrNltsUI14g5fKa5A6Xpom6tTX1KEFwJWsK1jYtQ7YU+Xq4VA
cgZHtI4To1E=
=dWtQ
-----END PGP SIGNATURE-----

--Pz/qqzCPDfGwIFOg--