Need help with nat-start script.

[SLT]

Since I enabled the FTP server on my NAS I've been getting several log alerts in my mail about failed login attempts.

This is part of the log that is sent to my email from my NAS
2016-12-26 19:26:20 alert

Failed pure-ftpd login attempt (incorrect password or inexistent username).

The details contain different IP-addresses from around the world. These seem to be unauthorized login attempts to the FTP server so I set out to limit the source IPs that are allowed to connect. Since my only reason for running the FTP server is to allow my brother to access our media library, I want only his IP address to be granted access. I found this wiki article and tried the first example, changing --dport to 21, the source and destionation IPs to match my setup. I read in another wiki entry that all scripts should start with
"#!/bin/sh" so I tried with and without this command, even though the example doesn't have that command. I changed the permissions for "nat-start" to be executable. I also removed the previous port forwarding rule allowing access to the NAS since it says in the wiki that it should be removed. However, I've left port forwarding enabled with just an empty list but I've also tried disabling it.

This is what nat-start contains at the moment (only difference is source and destination IP):
#!/bin/sh

iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 111.111.111.111 --dport 21 -j DNAT --to 222.222.222.222

I've tried all of the above but still can't connect to the NAS FTP unless a port forwarding rule is created in the web GUI.

Did I miss a step?

 

[ColinTaylor]

What happens if you type that iptables command into the command line? Does it give you an error?

If so, change the "VSERVER 3" part to just "VSERVER"

 

[SLT]

What happens if you type that iptables command into the command line? Does it give you an error?

If so, change the "VSERVER 3" part to just "VSERVER"

No error but it doesn't seem to work. Tried with and without "3".

 

[ColinTaylor]

What do you get if you type this command:

iptables -t nat -L VSERVER -v -n

 

[SLT]

Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 to:192.168.1.46:21
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:20 to:192.168.1.46:21
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.1.46:21
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2021 to:192.168.1.1:21
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21 to:192.168.1.46:21
525 27849 VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0

 

[ColinTaylor]

Those rules indicate that you are still using the built-in port forwarding rules, but you have changed TCP to BOTH (FTP only uses TCP).

Remove the rules and turn off port forwarding. Disable (i.e. rename) any nat-start scripts that you have and reboot the router.

Issue the iptables command again to confirm that you no longer have any existing rules.

Try issuing the following 2 commands:

iptables -t nat -I VSERVER -p tcp -m tcp -s 111.111.111.111 --dport 20 -j DNAT --to-destination 192.168.1.46:21
iptables -t nat -I VSERVER -p tcp -m tcp -s 111.111.111.111 --dport 21 -j DNAT --to-destination 192.168.1.46:21

 

[SLT]

Those rules indicate....

Thanks for taking your time to try to helpbut I still can't get it to work. The iptables command shows that there are no active rules but the forwarding commands don't seem to work. They do appear in the list of active rules once they've been activated but I still can't connect to the FTP server.

 

[ColinTaylor]

Presumably you have changed the "111.111.111.111" to the external IP address you are testing from, as well as 192.168.1.46 being your internal FTP server?

How are you testing the connection?

Beyond that I can't offer any more suggestions as I don't have a way of testing things here. (FTP is always tricky because it uses separate ports for control and data, relies on NAT "helpers" and can run in active and passive modes )

Hopefully other people who already have this working will be able to help you.

 

[florid]

Hi, I have question regarding this nat-start script too.
Per wiki page iptables tips

First, make sure you do NOT forward that port on the Virtual server page. Then, use a rule like this inside the nat-start script

So I only need to make sure there is no conflict on the ports that created thru WebGUI and command line script, that should be working fine right? No need to disable port forwarding totally on WebGUI, only using nat-start script for everything?

I modified nat-start,
#!/bin/sh
logger "firewall" "Applying nat-start rules"
iptables -t nat -I VSERVER 3 -p tcp -m tcp -s outbound1.letsencrypt.org --dport 80 -j DNAT --to 192.168.1.2
iptables -t nat -I VSERVER 3 -p tcp -m tcp -s outbound2.letsencrypt.org --dport 80 -j DNAT --to 192.168.1.2

After reboot, I do not see the port forwarding in WebGUI, and the command line iptables -L seems not have related lines. And it is not easy for me to validate this rule as the source restriction.
Do I need to change VSERVER 3 to VSERVER? How can I verify the script is in effect? I am new to this system, any guide or commands will be helpful.

Thanks a lot.

 

[Martineau]

After reboot, I do not see the port forwarding in WebGUI, and the command line iptables -L seems not have related lines.

Issue the following command to see if your VSERVER rules are added:

iptables -vL VSERVER --line -t nat

or to see the actual resolved IP address and port

iptables -nvL VSERVER --line -t nat

The GUI sets this NVRAM variable for any 'basic' VSERVER rules that it creates - but it is limited to the type of rules it can create...hence the reason you are creating the 'advanced' rules manually because there is no place to input the 'src' address via the GUI.

nvram get vts_rulelist