FTP server configuration in a DMZ

Home Page Forums Network Management ZeroShell FTP server configuration in a DMZ

This topic contains 4 replies, has 0 voices, and was last updated by  nfoata 10 years, 6 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #41467

    nfoata
    Member

    Hi everyone,

    I am just discovering ZeroShell and I am trying to use it for a network.

    For now, I succeed to configure hosts behind Zeroshell and they can access to Internet with the IP address of the router.

    My network configuration looks like :

    
    
    Internet
    eth1 Zeroshell eth0
    Local network ----
    eth2
    | 192.168.1.0/24
    |
    '
    DMZ ( With FTP server 192.168.2.2)
    192.168.2.0/24

    ZeroShell network configuration :
    eth0 192.168.1.254
    eth1
    eth2 192.168.2.254
    pppo (inet addr:XXX.XXX.XXX.189 P-t-P:XXX.XXX.XXX.1 (PPPoE: ETH01)

    Router - NAT
    ,
    ,
    ,
    | Available Interfaces | NAT Enabled Interfaces |
    |
    |
    |
    | eth0 | pppo |
    | eth1 | |
    | eth2 | |
    '
    '
    '

    My FTP server works well when I try to call it from localhost or from Zeroshell server,
    but not from Internet because I didn’t success to build the good rules in Zeroshell.

    I think I have just to forward port 21 and 20 to the FTP server 192.168.2.2.

    #47601

    ppalias
    Member

    That’s right, you have to allow ports 20 and 21 (usually only 21 is ok), but this is only for the control messages. If your transfer is not starting you should check the states of the firewall to allow all the traffic related to the ftp.

    #47602

    nfoata
    Member

    First, thanks to answer.

    In the firewall, I only can access to the following chains :
    – FORWARD
    – INPUT
    – OUTPUT

    I think, to redirect port, I have to access to the PRE_ROUTING chain ?

    I try to put rules on the FORWARD chain such as :
    * Destination IP : IP of the FTP server (192.68.2.2)
    * INPUT : ETH01
    * OUTPUT : ETH02
    * PROTOCOLE matching : TCP (source port 21 , destination port 21)

    I did the same with 20 port.

    But, it didn’t work (with this rules). I can’t connect from outside.

    #47603

    nfoata
    Member

    The situation has involved.
    I only added information in the PREROUTING chain.

    With the command line iptables , I did :

    iptables -t nat -A PREROUTING -p udp -i ETH01 --destination-port 21 -j DNAT --to-destination=192.168.2.2
    iptables -t nat -A PREROUTING -p tcp -i ETH01 --destination-port 21 -j DNAT --to-destination=192.168.2.2
    iptables -t nat -A PREROUTING -p udp -i ETH01 --destination-port 20 -j DNAT --to-destination=192.168.2.2
    iptables -t nat -A PREROUTING -p tcp -i ETH01 --destination-port 20 -j DNAT --to-destination=192.168.2.2

    Now, when I try from outside, I can connect and just after I have the following message.

    e.g :
    > ftp
    Connected to
    Connection closed by the remote host

    #47604

    bbozo
    Member

    In a Router Section you have VIRTUAL SERVERS.

    Input Interface ppp0
    IP address ANY (or if you wish specific public ip to answer to ftp request)
    Protocol TCP
    Local Port(source) for 21
    Remote IP 192……..(your internal ftp server ip)
    remote port(destination port on which you want your server to answer 21 for ftp)

    this wokred for me

    #47605

    nfoata
    Member

    Thanks a lot bbozo 😀 .

    You are right from the Interface, it directly goes well.
    I didn’t know where to find the PREROUTING in Zeroshell.

    Now, my FTP server is available from the outside.

    Solution gave just before (abstract) :
    On the left, section ‘Network‘, menu ‘Router
    At the top, select the tabbed panel named ‘Virtual Server’
    and enter the redirection.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.