[Firewall] allowing tftp through

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Mon Jul 14 08:57:51 MDT 2008


Iptables indeed doesn't support virtual interfaces. This also means that 
any rules setup for ie eth0, also apply for eth0:1, eth0:1 etc. When 
using firewall 1.9 you can use the IP of a virtual interface to do 
virtual interface matching...

I hope this info helps enough to fix your problem.

a.

ps. Sorry for the somewhat slow reaction, we had some problems with the 
mailinglist not sending out email for a while....

Jeff Welling wrote:
> Matthew Nelson wrote:
>> Thanks for the Reply Jeff.
>>
>> I failed to mention it earlier, but I am running version v1.8.8h.
>>
>>   
>>> -----Original Message-----
>>> From: firewall-bounces at lists.btito.net [mailto:firewall-
>>> bounces at lists.btito.net] On Behalf Of Jeff Welling
>>> Sent: Friday, June 13, 2008 9:38 PM
>>> To: Arno's IPTABLES firewall script
>>> Subject: Re: [Firewall] allowing tftp through
>>>
>>> Matthew Nelson wrote:
>>>     
>>>> i have a linux 2.6 box with three nics.
>>>>
>>>> eth0 - internet ip1
>>>> eth0:0 - internet ip2
>>>> eth0:1 - internet ip3
>>>> eth0:2 - internet ip4
>>>> eth0:3 - internet ip5
>>>>
>>>> eth1 - lan, 192.168.1.0/24
>>>>
>>>> eth2 - dmz, 172.18.10.0/24
>>>>
>>>> in the dmz, i have an asterisk box with a tftp server on it,
>>>> 172.18.10.10
>>>>
>>>> in custom-rules, i have the following:
>>>> iptables -A PREROUTING -t nat -p tcp -d <ip of eth0:0> --dport
>>>>       
>>> 0:65535
>>>     
>>>> -j DNAT --to 172.18.10.10
>>>> iptables -A PREROUTING -t nat -p udp -d <ip of eth0:0> --dport
>>>>       
>>> 0:65535
>>>     
>>>> -j DNAT --to 172.18.10.10
>>>>
>>>>       
>>> First off, have you tried using the configuration options in
>>> firewall.conf before using custom rules?  It seems to me like there
>>> should be built in options for what your trying to do there.
>>>
>>> NAT_TCP_FORWARD for the tcp and NAT_UDP_FORWARD for starters...
>>> although
>>> if you glance at the advanced settings in the config there is
>>> specifically an Internet->DMZ section, which may be more appropriate.
>>>
>>> There is also a DMZ->LAN section.
>>>
>>> Be careful about filling the variables in those 'EXPERT' sections
>>> though, IIRC the default is to accept, and by specifying otherwise,
>>> your
>>> dropping anything that you do not explicitly allow.
>>>     
>> In my first attempt, I tried the NAT_TCP_FORWARD line.
>> I think the problem is that I have virtual interfaces assigned, and
>> iptables doesn't seem to support virtual interfaces.  For example, I
>> can't seem to specify eth0:0 as an external interface.  All I have
>> assigned is eth0.
>>   
> Some quick googling shows that you could very well be correct about 
> iptables not supporting virtual interfaces.
>> I had tried this statement: 
>> NAT_TCP_FORWARD="xxx.xxx.xxx.xxx:81>172.18.10.10:80 and it did not work.
>> I would rather use the NAT_TCP_FORWARD line instead of custom-rules, to
>> be honest.
>>   
> fair enough.
>> I looked at all of the DMZ options, but it does look like
>> NAT_TCP_FORWARD is used for both the lan and dmz.  I think it would work
>> fine if I had one inet ip and forwarded specific ports on that ip to the
>> dmz, however, I'm attempting to forward specific ports to a specific dmz
>> host, only if they come in on a specific inet ip.  This is why I used
>> the custom-rules with the destination ip in the command.
>>
>> In the documentation in firewall.conf, it does seem to indicate that
>> this can be done, if I am understanding it correctly:
>> "Advanced (forward port 20 & 21 to 192.168.0.10 and
>> forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
>> NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80""
>>
>> Does that mean that 1.2.3.4 is the destination ip and it is going to
>> forward port 81 to an internal host on port 80?
>>   
> That is how I understand the syntax for that, yes.
>> If this is the case, what would be the syntax for forwarding ports
>> 80-100 on a specific destination ip to an internal host?  Something
>> like: 
>> NAT_xxx_FORWARD="1.2.3.4:80:100>192.168.0.11"
>>   
>> ?
>>   
> It seems to me like "1.2.3.4:80:100>192.168.0.11" would be invalid 
> syntax.  Looking at NAT_XXX_FORWARD again it seems like the only way to 
> specify more than one port is "1.2.3.4:80,81,82>X" which would get dirty 
> if your trying to do all from 80-100.
>>   
>>>> obviously the 0:65535 are there currently only for testing.
>>>>
>>>>       
>>> I think you could simply leave the destination port out if this is the
>>> case.  It's no purpose if your telling it to accept every port, since
>>> if
>>> you did not specify it, it would do that anyway.
>>>     
>>>> i can do things like ssh, or access port 80 fine.
>>>>
>>>>       
>>> for clarity, where are you able to successfully ssh and http to from?
>>>     
>> I was able to successfully ssh and http from both the lan and from an
>> inet host.
>>   
> Thought from left field, but could it be that perhaps your packets are 
> arriving at the DMZ host but when the DMZ responds, it's packets are 
> unable to get back to their destination?  You could check with tcpdump.
>>   
>>>> now, in the lan, i have an ip phone, 192.168.1.10 that uses tftp to
>>>>       
>>> get
>>>     
>>>> configuration files from the box in the dmz.
>>>>
>>>> on the phone, i have set the tftp ip to the ip of eth0:0.
>>>>
>>>> it's unable to connect via tftp, and in fact, i've tried a tftp
>>>>       
>>> software
>>>     
>>>> on my pc in the lan, and it is also unable to connect.
>>>>
>>>> i have ran:
>>>> modprobe ip_conntrack_tftp
>>>> modprobe ip_nat_tftp
>>>>
>>>> on both the firewall running arno's and the asterisk box to see if
>>>>       
>>> that
>>>     
>>>> would allow tftp through, but it's exibiting the same behavior.
>>>>
>>>> if i run an nmap on the firewall to the dmz host, this is what i
>>>>       
>> get:
>>   
>>>> root at foo:/etc/arno-iptables-firewall# nmap 172.18.10.10 -P0
>>>>
>>>> Starting Nmap 4.20 ( http://insecure.org ) at 2008-06-13 19:45 EDT
>>>> Interesting ports on 172.18.10.10:
>>>> Not shown: 1689 closed ports
>>>> PORT     STATE SERVICE
>>>> 21/tcp   open  ftp
>>>> 22/tcp   open  ssh
>>>> 80/tcp   open  http
>>>> 111/tcp  open  rpcbind
>>>> 443/tcp  open  https
>>>> 604/tcp  open  unknown
>>>> 3306/tcp open  mysql
>>>> 4559/tcp open  hylafax
>>>> MAC Address: xxxxx
>>>>
>>>> running nmap on the ip of eth0:0 gives this:
>>>> root at foo:/etc/arno-iptables-firewall# nmap <ip of eth0:0> -P0
>>>>
>>>> Starting Nmap 4.20 ( http://insecure.org ) at 2008-06-13 19:54 EDT
>>>> Nmap finished: 1 IP address (0 hosts up) scanned in 0.335 seconds
>>>>
>>>>       
>>> I can only speculate, so get that grain of salt out; It might have
>>> something to do with your using a custom rule, instead of using the
>>> NAT_X_FORWARD.  IIRC the NAT_X_FORWARD options add 2 rules, one in the
>>> nat table and one in the FORWARD chain.  Maybe Arno can clarify?
>>>
>>> A tool that might help you with understanding iptables packet
>>> traversal,
>>> if you insist on the custom rules route, is a simple diagram.
>>> Personally, I use this one
>>> http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg
>>>
>>>
>>> Hope that helps, cheers.
>>> Jeff.
>>>     
>> Thanks :)
>> Matt
>>
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at lists.btito.net
>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>>   
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list