FTP server configuration in a DMZ

[nfoata]

Hi everyone,

I am just discovering ZeroShell and I am trying to use it for a network.

For now, I succeed to configure hosts behind Zeroshell and they can access to Internet with the IP address of the router.

My network configuration looks like :

Internet

eth1 Zeroshell eth0

Local network  ----

eth2

|                     192.168.1.0/24

|

'

DMZ ( With  FTP server  192.168.2.2)

192.168.2.0/24

ZeroShell network configuration :

eth0 192.168.1.254

eth1

eth2 192.168.2.254

pppo (inet addr:XXX.XXX.XXX.189 P-t-P:XXX.XXX.XXX.1 (PPPoE: ETH01)



Router  - NAT

,

,

,

| Available Interfaces     |  NAT Enabled Interfaces     |

|

|

|

| eth0                     |  pppo                       |

| eth1                     |                             |

| eth2                     |                             |

'

'

'

My FTP server works well when I try to call it from localhost or from Zeroshell server,
but not from Internet because I didn’t success to build the good rules in Zeroshell.

I think I have just to forward port 21 and 20 to the FTP server 192.168.2.2.

[ppalias]

That’s right, you have to allow ports 20 and 21 (usually only 21 is ok), but this is only for the control messages. If your transfer is not starting you should check the states of the firewall to allow all the traffic related to the ftp.

[nfoata]

First, thanks to answer.

In the firewall, I only can access to the following chains :
– FORWARD
– INPUT
– OUTPUT

I think, to redirect port, I have to access to the PRE_ROUTING chain ?

I try to put rules on the FORWARD chain such as :
* Destination IP : IP of the FTP server (192.68.2.2)
* INPUT : ETH01
* OUTPUT : ETH02
* PROTOCOLE matching : TCP (source port 21 , destination port 21)

I did the same with 20 port.

But, it didn’t work (with this rules). I can’t connect from outside.

[nfoata]

The situation has involved.
I only added information in the PREROUTING chain.

With the command line iptables , I did :

iptables -t nat -A PREROUTING -p udp -i ETH01 --destination-port 21 -j DNAT --to-destination=192.168.2.2

iptables -t nat -A PREROUTING -p tcp -i ETH01 --destination-port 21 -j DNAT --to-destination=192.168.2.2

iptables -t nat -A PREROUTING -p udp -i ETH01 --destination-port 20 -j DNAT --to-destination=192.168.2.2

iptables -t nat -A PREROUTING -p tcp -i ETH01 --destination-port 20 -j DNAT --to-destination=192.168.2.2

Now, when I try from outside, I can connect and just after I have the following message.

e.g :
> ftp
Connected to
Connection closed by the remote host

[bbozo]

In a Router Section you have VIRTUAL SERVERS.

Input Interface ppp0
IP address ANY (or if you wish specific public ip to answer to ftp request)
Protocol TCP
Local Port(source) for 21
Remote IP 192……..(your internal ftp server ip)
remote port(destination port on which you want your server to answer 21 for ftp)

this wokred for me

[nfoata]

Thanks a lot bbozo 😀 .

You are right from the Interface, it directly goes well.
I didn’t know where to find the PREROUTING in Zeroshell.

Now, my FTP server is available from the outside.

Solution gave just before (abstract) :
On the left, section ‘Network‘, menu ‘Router‘
At the top, select the tabbed panel named ‘Virtual Server’
and enter the redirection.

[Author]

Posts