Mailinglist Archive: proxy-suite (29 mails)
| < Previous | Next > |
Re: [proxy-suite] ipchains filter rules for ftp-proxy
- From: Alois Treindl <alois@xxxxxxxx>
- Date: Thu, 21 Jun 2001 07:28:17 +0000 (UTC)
- Message-id: <Pine.HPX.4.21.0106210910120.8559-100000@xxxxxxxxxxxxx>
On Thu, 21 Jun 2001, Marius Tomaschewski wrote:
> Hi!
>
> On Wed, Jun 20, 2001 at 03:32:20PM +0200, Alois Treindl wrote:
> > I intend to run ftp-proxy on the 'director' of an LVS cluster.
> > The ftp server will run on one of the real servers in the cluster.
> >
> > I use ipchains for firewalling the director against the Internet.
> > Only a very limited set of rules is curently active, to
> > allow ssh access to the 'director' and for the load balanced
> > http services, plus DNS and NTP lookups and such stuff.
> >
> > Question:
> > Does someone have a ruleset for ipchains for the additional
> > rules required for the ftp proxy service.
> >
> > a) allowing public access to the ftp-proxy service from outside
>
> You do not need any redirection rules nor transparent proxying
> if you have only one ftp-server - simply set DestinationAddess
> to the IP of the ftp-server and say to the internet, the proxy
> machine is your ftp-server.
Sorry, I seem to be too inexperienced with Linux and NAT/proxy setup to
understand what you are saying.
What does it mean "Say to the Internet the proxy is my ftp server"?
I do say that ftp.astro.com is $VIP (see below),
but I need the corresponding filtering and forwarding rules
inside the proxy server.
Would it be possible to express that in explicit statements
like ' put this .... in configuration file 'filename' and
'put this rule .... in your ipchains ruleset?
This is my setup:
|
| eth1: real address $DEP, virtual address eth1:0 $VIP
| DEP=195.49.62.58 VIP=195.49.62.59
+---------------------+
| LVS-NAT director | running kernel 2.2.19
| ipchains firewall |
| ftp-proxy |
+---------------------+
| eth0: 10.1.1.254 hostname="w0"
|
|
switch--------------- other real http servers w2, w3, w4, ...
|
| eth0: 10.1.1.1 hostname="w1"
+---------------------+
| http server | running kernel 2.4.5
| ftp server |
----------------------+
Clients on the internet should connect via
ftp (active and passive must be possible) to virtual address $VIP
and get connected via the proxy to the internal server.
ipchains must be configured to allow the passage and forwarding
of the packets related to the ftp connections.
By default, everything is forbidden.
I need
- the relevant entries in ftp-proxy.conf
- ipchains rules
|| Alois Treindl, Astrodienst AG, mailto:alois@xxxxxxxxx
|| Zollikon/Zurich, Switzerland
> Hi!
>
> On Wed, Jun 20, 2001 at 03:32:20PM +0200, Alois Treindl wrote:
> > I intend to run ftp-proxy on the 'director' of an LVS cluster.
> > The ftp server will run on one of the real servers in the cluster.
> >
> > I use ipchains for firewalling the director against the Internet.
> > Only a very limited set of rules is curently active, to
> > allow ssh access to the 'director' and for the load balanced
> > http services, plus DNS and NTP lookups and such stuff.
> >
> > Question:
> > Does someone have a ruleset for ipchains for the additional
> > rules required for the ftp proxy service.
> >
> > a) allowing public access to the ftp-proxy service from outside
>
> You do not need any redirection rules nor transparent proxying
> if you have only one ftp-server - simply set DestinationAddess
> to the IP of the ftp-server and say to the internet, the proxy
> machine is your ftp-server.
Sorry, I seem to be too inexperienced with Linux and NAT/proxy setup to
understand what you are saying.
What does it mean "Say to the Internet the proxy is my ftp server"?
I do say that ftp.astro.com is $VIP (see below),
but I need the corresponding filtering and forwarding rules
inside the proxy server.
Would it be possible to express that in explicit statements
like ' put this .... in configuration file 'filename' and
'put this rule .... in your ipchains ruleset?
This is my setup:
|
| eth1: real address $DEP, virtual address eth1:0 $VIP
| DEP=195.49.62.58 VIP=195.49.62.59
+---------------------+
| LVS-NAT director | running kernel 2.2.19
| ipchains firewall |
| ftp-proxy |
+---------------------+
| eth0: 10.1.1.254 hostname="w0"
|
|
switch--------------- other real http servers w2, w3, w4, ...
|
| eth0: 10.1.1.1 hostname="w1"
+---------------------+
| http server | running kernel 2.4.5
| ftp server |
----------------------+
Clients on the internet should connect via
ftp (active and passive must be possible) to virtual address $VIP
and get connected via the proxy to the internal server.
ipchains must be configured to allow the passage and forwarding
of the packets related to the ftp connections.
By default, everything is forbidden.
I need
- the relevant entries in ftp-proxy.conf
- ipchains rules
|| Alois Treindl, Astrodienst AG, mailto:alois@xxxxxxxxx
|| Zollikon/Zurich, Switzerland
| < Previous | Next > |