Linux – iptables to allow FTP only over VPN

firewalliptableslinux

I have defined this iptables chain:

iptables -N VPNonly  # create a new chain "VPNonly"
iptables -A VPNonly -i lo -j ACCEPT  # allow localhost
iptables -A VPNonly --src xxx.xxx.xxx.xxx -j ACCEPT  # allow Server IP
iptables -A VPNonly --src 192.168.223.0/24 -j ACCEPT # allow VPN
iptables -A VPNonly --src 10.8.0.0/24 -j ACCEPT      # allow VPN
iptables -A VPNonly --src 10.8.1.0/24 -j ACCEPT      # allow VPN
iptables -A VPNonly -j DROP  # drop everyone else
iptables -I INPUT -m tcp -p tcp --dport 21 -j VPNonly  # use chain VPNonly on port 21

I connect via OPENVPN and the server's point to point address is 192.168.223.1 and get an according IP let's say 192.168.223.6

I also have a rule to allow access to the web through the VPN by nat like this:

iptables -t nat -A POSTROUTING -s 192.168.223.0/24 -o venet0 -j MASQUERADE

Now FTP access to to the server works just fine while connected to the VPN if I connect via 192.168.223.1 but it does not work via the server IP or domain name.

If I temporarily remove the limit on port 21 by:

iptables -D INPUT -m tcp -p tcp --dport 21 -j VPNonly

All IPs and the domain name work for FTP while connected by VPN.

Question: How do I have to modify my iptables chain to also allow connections through the VPN (probably using nat) in which I have the FTP client connect to server IP / domain name and not to the Server's IP on the VPN?

Note: To the outside world my IP is the server's ip xxx.xxx.xxx.xxx which is then translated via nat. I would have expected the server to know it is talking to itself and for the traffic to go through the loop back interface 127.0.0.1 / localhost but I'm not sure as my chain of rules still locks me out.

Note 2: Connecting to the server via SSH and using FTP on the shell allows connecting to the server's ip xxx.xxx.xxx.xxx / domain name / 127.0.0.1 / localhost. Only when I'm connected through the VPN and my IP appears to be the server's due to the nat rule my iptables keep me from connecting to port 21.

Best Answer

  1. All FTP Servers has two modes. Passive mode and Active mode.

  2. When you are at active mode, it means that all connections initiated by your cliente will receive back a high port range [1024-65535] to data stream from your server.

  3. When you are at passive mode, you must allow to the cliente to answer which port it will be able to connect [21] and the data stream because the cliente will determine the port range [xxxx-yyyyyy]. So, with this in mind, when you define port 21 limit, all high ports stop to works for data stream chosen by your client outside your VPN, otherwise you allow with port 21 and any range that other clientes from your lan works well.

  4. You must define at your chain the port range to data stream event after fix to initial connection starts to port 21.

  5. FTP use two connections par to Works: Connection and data stream. You must define connection and stream for the right network interface created dynamically by your VPN server.

    1. The ip route command will determine the route for a each interface and ip address range (public or private) example: ip route add 192.168.99.0/24 dev ppp0

    2. sysctl -w net.ipv4.ip_forward=1 will allows you to route and send data through those interfaces

    3. Assuming your VPN server is a Linux-based service, check the proxyarp option

Related Topic