# Port forwarding

## imrambi

I'm trying to forward ftp over from my router to an internal box thats using vsftpd. My script has opened the port, but yet I get connection refused when I try to connect via ftp. It almost seems that I'm missing something, because I did have the last three lines uncommented, but somehow now when they are, all my ports are blocked. Whats wrong?

Here is my script.

```
#!/bin/bash

#External interface

EXTIF='eth1'

INTIF1='eth0'

#Loop device/localhost

LPDIF=lo

LPDIP=127.0.0.1

LPDMASK=255.0.0.0

LPDNET="$LPDIP/$LPDMSK"

#Text tools variables

IPT='/sbin/iptables'

IFC='/sbin/ifconfig'

G='/bin/grep'

SED='/bin/sed'

# Deny than accept: this keeps holes from opening up

# while we close ports and such

#$IPT        -P INPUT       DROP

#$IPT        -P OUTPUT      DROP

#$IPT        -P FORWARD     DROP

# Flush all existing chains and erase personal chains

CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`

for i in $CHAINS;

do

    $IPT -t $i -F

done

for i in $CHAINS;

do

    $IPT -t $i -X

done

$IPT -A INPUT   -i $INTIF1 -p tcp                      --dport 22 \

 --syn -m state --state NEW -j ACCEPT

#`:x

#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

    echo 1 > $f

done

# Disable IP source routing and ICMP redirects

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

    echo 0 > $f

done

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

    echo 0 > $f

done

echo 1 > /proc/sys/net/ipv4/ip_forward

# Opening up ftp connection tracking

MODULES="ip_nat_ftp ip_conntrack_ftp"

for i in $MODULES;

do

echo "Inserting module $i"

    modprobe $i

done

# Flush all existing chains and erase personal chains

CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`

for i in $CHAINS

do

    $IPT -t $i -F

done

for i in $CHAINS

do

    $IPT -t $i -X

done

#Setting up external interface enviroment variables

EXTIP="`$IFC $EXTIF|$G Bcast:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"

EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"

EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"

EXTNET="$EXTIP/$EXTMSK"

echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

#Setting up enviroment variables for internal interface

INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"

INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"

INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"

INTNET1="$INTIP1/$INTMSK1"

echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"

#Allowing ftp to be forwarded to a certain box

$IPT -A FORWARD -p tcp -d $EXTIP --dport 21 -j ACCEPT

$IPT -A FORWARD -p tcp -d $EXTIP --dport 21 -j ACCEPT

$IPT -A FORWARD -p tcp -d $EXTIP --dport 20 -j ACCEPT

$IPT -A FORWARD -p tcp -d $EXTIP --dport 20 -j ACCEPT

$IPT -A FORWARD -p udp -d 192.168.1.251 --dport 21 -j ACCEPT

$IPT -A FORWARD -p udp -d 192.168.1.251 --dport 21 -j ACCEPT

$IPT -A FORWARD -p udp -d 192.168.1.251 --dport 20 -j ACCEPT

$IPT -A FORWARD -p udp -d 192.168.1.251 --dport 20 -j ACCEPT

$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 21 -j DNAT --to-destination 192.168.1.251:21

$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 21 -j DNAT --to-destination 192.168.1.251:21

$IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport 20 -j DNAT --to-destination 192.168.1.251:20

$IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport 20 -j DNAT --to-destination 192.168.1.251:20

$IPT -t nat -A PREROUTING                       -j ACCEPT

#$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j SNAT --to $EXTIP

# Comment out next line (that has "MASQUERADE") to not NAT internal network

$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE

$IPT -t nat -A POSTROUTING                      -j ACCEPT

$IPT -t nat -A OUTPUT                           -j ACCEPT

$IPT -A INPUT   -p tcp --dport auth --syn -m state --state NEW -j ACCEPT

$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Do not complain if chain already exists (so restart is clean)

$IPT -N DROPl   2> /dev/null

$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'

$IPT -A DROPl   -j DROP

$IPT -N REJECTl 2> /dev/null

$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'

$IPT -A REJECTl -j REJECT

$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $INTIP1  -j ACCEPT

# Blocking Broadcasts

$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl

$IPT -A INPUT   -i $INTIF1 -d   $INTBC1  -j DROPl

$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl

$IPT -A OUTPUT  -o $INTIF1 -d   $INTBC1  -j DROPl

$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl

$IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl

# Block WAN access to internal network

# This also stops nefarious crackers from using our network as a

# launching point to attack other people

# iptables translation:

# "if input going into  our external interface does not originate from our isp assigned

# ip address, drop it like a hot potato

$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl

# Now we will block internal addresses originating from anything buy our

# two predefined interfaces.....just remember that if you jack your

# your laptop or another pc into one of these NIC's directly, you'll need

# to ensure that they either have the same ip or that you add a line explicitly

# that IP as well

# Interface one/internal net one

$IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl

$IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl

$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl

$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl

# An additional Egress check

$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl

# Block outbound ICMP (except for PING)

$IPT -A OUTPUT  -o $EXTIF -p icmp \

   --icmp-type ! 8 -j DROPl

$IPT -A FORWARD -o $EXTIF -p icmp \

   --icmp-type ! 8 -j DROPl

# COMmon ports:

# 0 is tcpmux; SGI had vulnerability, 1 is common attack

# 13 is daytime

# 98 is Linuxconf

# 111 is sunrpc (portmap)

# 137:139, 445 is Microsoft

# SNMP: 161,2

# Squid flotilla: 3128, 8000, 8008, 8080

# 1214 is Morpheus or KaZaA

# 2049 is NFS

# 3049 is very virulent Linux Trojan, mistakable for NFS

# Common attacks: 1999, 4329, 6346

# Common Trojans 12345 65535

COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 432"

# TCP ports:

# 98 is Linuxconf

# 512-5!5 is rexec, rlogin, rsh, printer(lpd)

#   [very serious vulnerabilities; attacks continue daily]

# 1080 is Socks proxy server

# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)

# Block 6112 (Sun's/HP's CDE)

TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"

# UDP ports:

# 161:162 is SNMP

# 520=RIP, 9000 is Sangoma

# 517:518 are talk and ntalk (more annoying than anything)

UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000 9 6346 3128 8000 8008 8080 12345 65535"

echo -n "FW: Blocking attacks to TCP port"

for i in $TCPBLOCK;

do

echo -n "$i "

  $IPT -A INPUT   -p tcp --dport $i  -j DROPl

  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl

  $IPT -A FORWARD -p tcp --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking attacks to UDP port "

for i in $UDPBLOCK;

do

  echo -n "$i "

      $IPT -A INPUT   -p udp --dport $i  -j DROPl

      $IPT -A OUTPUT  -p udp --dport $i  -j DROPl

      $IPT -A FORWARD -p udp --dport $i  -j DROPl

done

echo ""

IRC='ircd'

MSN=1863

ICQ=5190

NFS='sunrpc'

DHCP='67 68'

JDIRECT='9100'

SMB='138 139'

# We have to sync!!

PORTAGE='rsync'

OpenPGP_HTTP_Keyserver=11371

# All services ports are read from /etc/services

TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE \

$IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver $DHCPi $JDIRECT $SMB"

UDPSERV="domain time $JDIRECT"

echo -n "FW: Allowing inside systems to use service:"

for i in $TCPSERV;

do

    echo -n "$i "

      $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \

        --dport $i --syn -m state --state NEW -j ACCEPT

      $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \

        --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing inside systems to use service:"

for i in $UDPSERV;

do

    echo -n "$i "

       $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \

                --dport $i -m state --state NEW -j ACCEPT

        $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \

                --dport $i -m state --state NEW -j ACCEPT

done

echo ""

# Allow to ping out

$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \

   --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 \

   --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow firewall to ping internal systems

$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 \

    --icmp-type 8 -m state --state NEW -j ACCEPT

# Log & block whatever is left

#$IPT -A INPUT             -j DROPl

#$IPT -A OUTPUT            -j REJECTl

#$IPT -A FORWARD           -j DROPl

```

----------

## hds

well, i dont know but this looks a little too complicated to me. why dont you use rinetd to have portforwarding? i dont use it for FTP but donkey, http, etc.. works well using rinetd.

----------

## rum

"rinetd does not redirect FTP, because FTP requires more than one socket."

LVS might be helpful in this situation.

----------

