Lonnie,
I don't expose FTP, I merely used it as an example. But I have two
situations that I have to deal with...
1) I have a panasonic webcam on my LAN. For remote access this registers
with a panasonic service username.viewnetcam.com, effectively a DynDNS
solution exclusively for panasonic webcams. I have set up my camera with a
non-standard port and I forward that port from Astlinux to the internal IP
of the camera. To make sure that my browser bookmark works everywhere I
have to setup a DNS host on Astlinux to make sure that when I am at home it
goes to the internal webcam IP, not my public IP.
2) Because of recent brute force attempts on my gateway I have closed
80/443 external ports and forwarded a random other port to the internal IP
port 443. This means that when I am outside and need to remotely administer
Astlinux I must use that random port number, but when inside I don't. So I
cannot have a single bookmark. I think that the iptables firewall has the
ability to remap port X to 443 on any interface, but I don't see a way to
do that through the GUI. Not even sure if it could be done with the custom
rules .conf file. (iptables REDIRECT... I found this example: iptables -t
nat -A PREROUTING -i eth1 -p TCP --dport 2202 -j REDIRECT --to-port 22).
But the web interface doesn't have a way to redirect from port X to Y on
the same interface.
And yes I have dynamic DNS, though the IP address does not change that
much... once every few months if that. I had noticed that the plugin
required the IP. Does iptables require the IP? no way for it to work at
an interface level, irrespective of IP? If not, then I suppose a script
could be created to update the tables if a change to the external IP was
noticed, but that is probably more work than it is worth.
David
On Sun, Oct 7, 2012 at 1:53 PM, Lonnie Abelbeck
<[email protected]>wrote:
> Hi David,
>
> Yes, the transparent-dnat plugin appears to do that, but the general
> requirement with these 'NAT loopback' techniques is a static external IPv4
> address to build the iptables rules around, otherwise for dynamic external
> IP's the firewall rules would have to be rebuilt whenever the external IPv4
> address changed. So for AstLinux, the transparent-dnat plugin will not
> work if you have a dynamic IP address, ie. DNAT_MY_EXTERNAL_IP is not
> applicable.
>
> Still, I like your split-horizon DNS approach the best (as you stated),
> usually port selection is not an issue since the local ports are standard
> and any port obfuscation is done via NAT at the edge. Plus remote VPN
> access will use the local DNS (when setup properly) and point you directly
> to the local server.
>
> I assume you have a good reason exposing FTP to the public, but I would
> rather see you using sftp (better) or FTP in a VPN (best) for remote access.
>
> Lonnie
>
>
> On Oct 7, 2012, at 10:32 AM, David Kerr wrote:
>
> > Lonnie,
> > Thanks for the documentation. Of course this prompted me to look at
> stuff I have never looked at before and of course generates questions.
> >
> > Take transparent-dnat. Does this solve the situation where I have an
> internal client that attempts to access a service (say FTP) which is in
> fact located inside my LAN or on my AstLinux box.
> >
> > For example, if I am *outside* my LAN and request a service at "
> ftp.mydomain.org:21" then the external DNS servers resolve the name to
> the IP address of my Astlinux eth0/EXTIF. And the client *outside* my LAN
> directs the traffic to "myIP:21" Now lets say port 21 is forwarded by
> Astlinux to an internal LAN ip 192.168.1.10 (that may be a different port
> number).
> > Now if I am *inside* my LAN and have done nothing, then the DNS name
> resolution still resolves to eth0/EXTIF. But because the traffic is coming
> from inside to eth1/INTIF it is not caught by the firewall and forwarded to
> the internal host. Instead it tries to connect to the Astlinux box (which
> may, or may not, accept traffic on port 21).
> >
> > The way I have resolved this is by setting up a static hostname in
> Astlinux DNS so that internal clients get the IP address of the internal
> server when they use the name, so ftp.mydomain.org will resolve to
> 192.168.1.10, which is the same host that any external traffic arriving on
> eth0 port 21 would get forwarded to. However this is not port specific, so
> if I had multiple services handled by different hosts there is no way to
> handle that.
> >
> > Does this plugin, or is there another plugin, that would help? Ideally
> what I want is a way to tell the firewall that any traffic originating from
> an internal IP that is destined for the external IP of my Astlinux box be
> handled by the firewall just as if it had arrived on the EXTIF and be
> forwarded (or blocked, or whatever).
> >
> > Thanks,
> > David
> >
> >
> >
> > On Sat, Oct 6, 2012 at 7:45 PM, Lonnie Abelbeck <
> [email protected]> wrote:
> > Hi,
> >
> > Due to recent questions about firewall plugins, we decided to add a
> "Firewall Plugins" section in the documentation WiKi...
> >
> > WiKi: Tips and Tricks -> Networking -> Firewall Plugins
> >
> > http://doc.astlinux.org/userdoc:tt_firewall_plugins
> >
> > I predict even long time users might find a new tidbit here, so please
> take a look and report any changes or clarifications that might be useful
> to others.
> >
> > Lonnie
> >
> >
> >
> ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >
> >
> ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> >
> http://p.sf.net/sfu/newrelic-dev2dev_______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
