Server :: ProFTP Masquerading Setup Uses IPChains Convert To IPTables
Jan 25, 2011
How to Nat. I wanted to be able to resolve something like
ftp.myfirstdomain.com to 192.168.0.2
Then ftp.mysecond.com to 192.168.0.3
Just as a random example, I know these cannot be done using name based virtual hosts like in Apache. But I got this working internally using my LAN connection and the 2 IP addresses above, with Bind DNS pointing the dns's to those 2 ip addresses respectively. This worked, yet when I tried connecting from my work place to transfer some files, it kept going to the default user's home directory. Just wanted to get this project finished, 2 domains and one public facing IP address.
I am fairly new to Ubuntu/Linux and I have somehow managed to get a server up and running. For the past few months I have been trying to get masquerading working.
I have 2 network cards eth0=Internal Lan IP address 192.168.0.254 eth1=router External IP address 10.0.0.1
I want all my internal lan traffic to go through my linux box & only have port 80 & 3128 go through squid. So for all pop3/smtp action I want the linux machine to act like a router & for port 80 & 3128 I want it to go through squid.
I have tried, to set this up, but failed what kind of ftp would you guys recomend, as i have been having slight problems over recent days, with unknowns logging onto my annon ftp server, delt with mind.
I am thinking about a proper login even for the annon account, fairly easy to setup.
I setup proftp and apache on debian linux. I can go to [URL] and see the it works page but do not know where to beginn with proftp. how do I check to see if the ftp works.
I am having difficulties setting up Symmetric NAT through iptables.
First things first: "A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host."
Need: I am working on a SIP application and SIP apps face a problem with NATed networks. STUN is a solution to such a problem and my SIP application has an embedded STUN client functionality.
Scenario and Technical Details: 192.168.0.200 +-----------------+ | ClientA - My IP | +-----------------+ | |GW: | eth0 eth1 (example public IP address) | 192.168.0.1 | 123.123.123.123 +-------------|-------------+ | NAT1 | +-------------|-------------+ | | | stun.1und1.de | +---------------------------+ | STUN Server | +---------------------------+
I am using WinSTUN, which requires a STUN Server address (such as the one I specified above) to return my type of NAT. What I need to achieve is Symmetric NAT through iptables, on the GW server, only on my IP address (192.168.0.200). I don't want it to affect the whole network. I am running CentOS release 5.4 (Final), and iptables v1.4.10
l have been trying to enable masquerading in sendmail. I've started from scratch. Here's what I did: 1.My Mail Server name is "ids.com" and local hostname is "server" 2. When I send the mail from my user to other user. The mail goes with user@server All this allows me to send mail from all of my computers. Now, to get masquerading:
3. I have MASQUERADE_AS(`ids.com'), MASQUERADE_DOMAIN(`ids.com'), and FEATURE(`masquerade_entire_domain'). I also added "ids.com" to /etc/mail/local-host-names to be able to receive mail addressed to that domain. This masquerades mail originating on the server, but still the mail from the other computers has a "From:" line of the form user@hostname.
I have set up OpenVPN Server on a VM (Ubuntu 10.10) running virtualbox bridged to the host. Everything is working fine excepts the fact that I cant seem to be able to assign internal IP (VPN Server) to client connecting. Let me explain: All my clients are connecting and accessing the internet without any issue. Where I have an issue is that all my clients come out the other way on the internet with my server ip address which kind of defeat the purpose. Is there a way (keeping in mind that I am running the server in a VM) to have all my clients accessing the internet with an IP provided by the VPN Server?
I have a Centos 5.5 Server, Servername is CentOS1. It has a Forum and a HelpDesk. The Help Desk software SENDS and acknowledgement to the user and emails to all the people on the support desk. Users can reply to emails only by accessing the helpdesk NOT by mail. Thus the server is configured to only SEND mail and not to receive any mail at all.
Mail Server is Sendmail. Hosts file reads : - # Do not remove the following line, or various programs that require network functionality will fail. 127.0.0.1CentOS1.tech.xxxxx.com CentOS1 localhost.localdomain localhost ::1localhost6.localdomain6 localhost6
There is NO MX Record because this server receives NO mail, it's send only. Unfortunately, the mail it sends has a From Header which is @CentOS1.tech.xxxxx.com. I want it to send from @xxxxx.com. I've read all the howtos on Masquerading and I've tried many, many things, but with the same results. It will NOT change the From. I had it working perfectly a long time ago with a SuSE server, but I can't for the life of me remember what I did. I know I also battled a bit.
The last few lines of sendmail.mc read : - LOCAL_DOMAIN('localhost.localdomain')dnl dnl # dnl # The following example makes mail from this host and any additional dnl # specified domains appear to be sent from mydomain.com dnl # dnl MASQUERADE_AS('xxxxx.com')dnl dnl FEATURE(masquerade_envelope)dnl dnl FEATURE(masquerade_entire_domain)dnl dnl MASQUERADE_DOMAIN(localhost)dnl dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl dnl MASQUERADE_DOMAIN(CentOS1.tech.xxxxx.com)dnl dnl MASQUERADE_DOMAIN(CentOS1)dnl dnl MASQUERADE_DOMAIN(tech.xxxxx.com)dnl MAILER(smtp)dnl MAILER(procmail)dnl dnl MAILER(cyrusv2)dnl
I've tried each one of the MAQUERADE_DOMAIN in turn, none of them work and yes, I have remade it.
I have some problem getting masquerade works, but no luck. I created a cronjob that do a backup which will notify me by email. I was able to received the email with from "root@domain.mydomain.com" I want to change this to root@mydomain.com, I tried do the masquerade and it does not work.
I am running CentOS release 5.5 (Final) with PROFTP installed.
I am able to connect to the ftp server from local, but when I try it from dream weaver CS5 it can't connect to the server. I ran a port scan and 21 seems to be open:
PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain
I'm running a ProFTP 1.3.3 server on a CentOS 5.5.What has come to my mind in terms of security is to have the server disabling / deactivating account that enters the wrong password, lets say three times.Using MaxLoginAttempts only limits the possible retries on a open connection.
Have a router running OpenSUSE 11.3. I have 3 interfaces eth0 192.168.0.0/24 - local network eth1 - The Internet if eth2 - Citynet
I have configured routing and it works. I can browse the Internet from local net. However, I want to connect to my workstation (192.168.0.3) from Citynet interface. I've made masquerading rule in Yast it works just fine like a proxy do (on 192.168.0.2 local server). Now I need to run VPN server in my local net to connect from Citynet interface, and I have problems with it. I've configured pptpd on the router and it work for local network and I have a vpn server under Windows on 192.168.0.2
So my questions are: 1. What do I need to do in yast to allow vpn (pptp) ftom eth2 to 192.168.0.2? 2. What do I need to do in yast to allow vpn on router? Some how I succeed to make redirection to 192.168.0.2 and it worked, but I've tried to change it to router and can't get it work again.
In all these cases client has the next message: pptp[109]: LCP: timeout sending Config-Requests pptp[109]: Connection terminated. pptp[109]: Modem hangu
I am literally quite stuck with proftp the version being: ProFTPD Version 1.3.3e# I have the following config:
[Code]...
I mean would I need to logically seperate out a series of passive ports and then open them using my custom routers NAT, so each passive port goes to its own virtual host as such? Just a bit confused about what the next steps would entail I mean I don't have any firewall on my Linux box, don't see the point since I use pfSense and an IPS/IDS and it's never been hacked since!
So I didn't notice when I setup my CentOS 5.5 server that I left / as RAID 0 on md1. All the rest are RAID 1. Is there a way I can modify the array to RAID 1 without a risk of data loss? I'm glad I caught this before I setup any other services. I've only setup smb so far...
[root@ftpserver ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/md1 16G 3.0G 13G 20% /
I have been using proftp for about 8 months. After getting the configuration right, it worked perfectly. It is only used intermittently, so I don't know for sure when the problems started, but I suspect it was triggered by a recent OS upgrade to Ubuntu 10.04 (64 bit). I have proftp set up so that TLS is required on both the data and control channels. The problem is that, after successful login, the server seems to be terminating the session because the client (FileZilla) is attempting to renegotiate something (probably the TLS). The client settings didn't change, nor did the server settings.
I have tried switching off the TLSRequired flag, and am then able to establish a non-secure FTP session which works (but that does not meet my requirements). I wondered whether the OS upgrade had somehow invalidated my TLS certificates, but the symptoms don't seem consistent with that cause. The TLS part of my proftpd.conf file is:
I have a real system user say 'test', created in a number of system groups, up to 3 additional groups (including ftp of course). Its set to the usual standard directory /home/test. But what if I wanted to use /home/test as their home directory but login to what would be unknown to them to be ProFTP to make them go in say [URL] or something random like that, how is this done? Just been through things like this:
have setup proftpd via gadmin, all is well and is activated.This is where im being stupid - what setting do i use in my ftp prog (filezilla)??
host: ive put my ip address (77.xx.xxx.xx) user name and password
However, i have a number of computers on my network, obviously when i try to ftp into my server how does it know which one to connect to? or is this not required.i need to get this working within the next few hours, or ill be in do-dos.
FTP Server OS: Ubuntu x64 9.10 Client OS: Ubuntu x64 9.10 I have an FTP server on my home network. FTP Server: VSFTPD with TLS My FTP server is running with iptables configured using firestarter. Firestarter Inbound Traffic Policy "allow Service / Port contains the FTP service with the appropriate port range, vsftpd.conf port range is identical, as is the port range on my router.
My Client system, only after reboot or system power on, absolutely will not connect to the FTP server unless the firewall is disabled then re-enabled by way of firestarter then re-enabled. Only then will my client successfully connect and continue to connect until my client reboots or powers on. At which point I need to disable/re-enable iptables through firestarter.
Others can connect to my FTP server, but they use a mixture of Mac and Windows with default firewall settings. Has anyone experienced this with firestarter and ubuntu 9.10? I never had this problem using Ubuntu 9.04.
I need to access a Linux box via SSH & Samba that is hidden/connected behind another one on its own local network.
Setup :- Code: A switch B C |----| |---| |----| |----| |eth0|<-->| |<-->|eth0| | | |----| |---| |eth1|<-->|eth1| |----| |----|
E.g., I need to SSH/Samba from A to C. How does one go about this? I was thinking that it cannot be done via IP alone? Or can it? Could B say "hi on eth0, if your looking for 192.168.0.2, its here on eth1"? Is this NAT? This is a large private network, so what about if another PC has that IP?! More likely it would be PAT?
A would say "hi 192.168.109.15:1234" B would say "hi on eth0, traffic for port 1234 goes on here eth1"
How could that be done? And would the SSH/Samba demons see the correct packet header info and work??
IP info :- Code: A - eth0 - 192.168.109.2 B - eth0 - 192.168.109.15 - eth1 - 192.168.0.1 C - eth1 - 192.168.0.2 A, B & C are RHEL (RedHat)
But Windows computers can be connected to the switch. I configured the 192.168.0.* IPs, they are changeable. So I have read that this should be done via iptables? But what is the correct command line to do this? And where does one put permanent iptable config?
I'm working for a very poorly configured WISP currently using Traffic Inspector on windows(url).
Currently each client is manually given an IP address. I'd like to eventually change that, but for now I just want to migrate the server to linux.
I intend to use iptables to forward only those who's mac and ip match against my list:
Code: # Davit $IPTABLES -A INPUT -i $INTIF -m mac --mac-source 00:00:00:00:56:83 -s 192.168.0.4 -j ACCEPT I intend to mark the packets by ip address to limit them to their plan( there are two plans 256kbps and 128kbps) Code: # Mark packets to route code....
exit 0 Does this make any sense? My Major problem is that I don't know how to keep track of how much each client has downloaded. Any advice on how to do that?
Recently I have been working on iptables and trying to understand how to use it. Here's a little script I have written to setup a basic firewall for myself:
Code: #!/bin/bash if [ `id -u` -ne 0 ]; then echo "You need root privilege" exit 1 fi
PROG=/sbin/iptables $PROG -F function sethttp { echo "Opening http port..." $PROG -A INPUT -p tcp --dport 80 -j ACCEPT }
function sethttps { echo "Opening https port..." $PROG -A INPUT -p tcp --dport 443 -j ACCEPT }
function settorrent { echo "Opening torrent port..." $PROG -A INPUT -p tcp --dport 52413 -j ACCEPT }
while getopts "hst" option; do case "$option" in h) sethttp;; s) sethttps;; t) settorrent;; *) echo "DOH!" esac done
$PROG -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $PROG -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $PROG -A INPUT -i lo -j ACCEPT $PROG -A OUTPUT -o lo -j ACCEPT $PROG -A INPUT -j DROP $PROG -A FORWARD -j REJECT echo "Done setting up the firewall! Enjoy :)" exit 0
OK, this can take 3 arguments that open ports 80, 443 and 52413. And at the end, some default rules are applied. But here's the thing I don't understand: if I don't give the argument for port 80, I can still view web pages... and also, when I remove the line:
Code: $PROG -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Whether I say it to open port 80 or not, I can't view any web pages.
We have a new Bussiness DSL line with 16 public addresses.What we want is to setup a DMZ to run some services and internet to the LAN. Here's a schematic of what we want:
Code:
Backup Internet Main Internet connection connection | | | | SDSL Modem BDSL Modem
I'm new to linux, but enjoy using it very much, especially without a GUI, console is fun! I need to set up port forwarding. We have 3 servers, 1x running Ubuntu server 8.04 (used as transparent proxy), 1x server 2003, 1x windows xp.
The linux box has the following ips: eth0 (internal) 192.168.1.5 eth1 (external) 192.168.0.7
Windows server 2003: 192.168.1.6
Windows XP: 192.168.1.9
Router: 192.168.0.1
The router automatically forwards specific ports to 196.168.0.7 (Linux eth0). From there I want to forward port 8585 to 192.168.1.6 and 3000 to 192.168.1.9. Is there a way that I can do this using iptables?
The commands that I think I'm gonna use look like this: iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 8585 -d 192.168.1.6 -j ACCEPT iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3000 -d 192.168.1.9 -j ACCEPT
Would this be a correct way of doing it? My biggest problem is that I can't test it without going live, and if I go live and something doesn't work, the entire building will be left without internet, people will hate me. Also, The proxy captures all data on port 80 and forwards it to 3128 so that the proxy can monitor the usage, and a few systems runs fine with it, others however can ping websites, and internet explorer says "website found, waiting for reply" but the webpages cannot be displayed.
Code: Can't initialize iptables table 'NAT': Table does not exist (do you need to insmod?)
Looking at lsmod, it doesn't look like I have anything NAT related loaded ( I just have iptable_filter, ip_tables, and x_table ). Doing a locate nat, I find a module that looks like it should work. I'm running 10.04.1 LTS - Kernel is 2.6.32-25-generic #45-Ubuntu SMP and it is pretty much stock - haven't done anything fancy... this module looks promising:
Code: /lib/modules/2.6.32-25-generic/kernel/net/ipv4/netfilter/iptable_nat.ko but loading it and I get:
