'Re: Running an FTP server with Policy NAT'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Running an FTP server with Policy NAT
From:       Peter Jeremy <peter.jeremy () alcatel ! com ! au>
Date:       2004-09-15 1:39:02
Message-ID: 20040915013902.GX89861 () gsmx07 ! alcatel ! com ! au
[Download RAW message or body]

On 2004-Sep-08 13:03:35 +0200, Guido van Rooij <guido@gvr.org> wrote:
>On Wed, Sep 01, 2004 at 03:28:30PM +1000, Peter Jeremy wrote:
>> Taking the following diagram:
>> HostC is the FTP server and has a physical address of 192.168.164.14.
>> HostA (and anything else in 10.10.10.0/24) connects to the FTP server
>> using the "special" address 172.16.91.195.
>> HostB (and anything else not in 10.10.10.0/24) connects to the FTP server
>> using the "default" address 172.16.91.14.
>> 
>> +-------+                    +-------+
>> |       |10.10.10.18         |       |
>> | HostA |--------------------|       |
>> |       |       172.16.91.195|       |                    +-------+
>> +-------+                    |       |                    |       |
>>                              |  NAT  |--------------------| HostC |
>> +-------+                    |       |      192.168.164.14|       |
>> |       |172.16.9.12         |       |                    +-------+
>> | HostB |--------------------|       |
>> |       |        172.16.91.14|       |
>> +-------+                    +-------+
                    ce91000 ---^
>> 
>> My best guess of the relevant ipnat rules is:
>> 
>> map ce91000 192.168.164.14/32 -> 176.16.91.14/32 proxy port ftp ftp/tcp
>> rdr ce91000 from 10.10.10.0/24 to 176.16.91.195/32 port = 22 -> 192.168.164.14 port 22 tcp
>> rdr ce91000 from 10.10.10.0/24 to 176.16.91.195/32 port = 21 -> 192.168.164.14 port 21 tcp
>> bimap ce91000 192.168.164.14/32 -> 176.16.91.14/32
>
>I dont understand your map and rdr rules.

HostC is the "inside" of my firewall.  It's physical address is
192.168.164.14.  The "external" interface of the firewall is ce91000
and is in 172.16.91.0/24.  For hosts outside the firewall (eg HostA
and HostB), HostC is accessed using either 172.16.91.195 (from
addresses in 10.10.10.0/24) or 172.16.91.14 (from addresses not in
10.10.10.0/24).

HostA (and anything else in 10.10.10.0/24) needs to be able to
connect to the FTP server in HostC (as well as a few 

Guido's suggested rules don't work because they have the outside and
inside reversed.

I've done some more experimenting and come up with the following
rules.  There doesn't seem to be any way to proxy incoming FTP with
policy NAT so I've used a 'map' rule to handle the data connection.
There's no need to support passive mode FTP from HostA so this works.

# Incoming FTP from 10.10.10.0/24
rdr ce91000 from 10.10.10.0/24 to 172.16.91.195/32 port = 21 -> 192.168.164.14 port 21
map ce91000 from 192.168.164.14/32 to 10.10.10.0/24 -> 172.16.91.195/32
# Other port redirections from 10.10.10.0/24
rdr ce91000 from 10.10.10.0/24 to 172.16.91.195/32 port = 21 -> 192.168.164.14 port 21
rdr ce91000 from 10.10.10.0/24 to 172.16.91.195/32 port = 11023 -> 192.168.164.14 port 11023
# NAT for other hosts
map ce91000 192.168.164.14/32 -> 172.16.91.14/32 proxy port ftp ftp/tcp
bimap ce91000 192.168.164.14/32 -> 172.16.91.14/32

Note that whilst you can write
  rdr ce91000 172.16.91.195/32 port 21 -> 192.168.164.14 port 21
you can't write
  rdr ce91000 from 10.10.10.0/24 to 172.16.91.195/32 port 21 -> 192.168.164.14 port 21
ipnat tries to parse 'port 21 ->' as a port range and fails because
'>' isn't a port number.  I believe this is a bug in the ipnat parser
in 3.4.33.

-- 
Peter Jeremy
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic