New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

IPtables and AFP

Got problems with your B2 or B3? Share and get helped!
Post Reply
Anders_W
Posts: 34
Joined: 13 Sep 2011, 09:22

IPtables and AFP

Post by Anders_W »

Happy New Year, everybody!

Thank You all for Your help with earlier questions.

Before asking a new question, let me describe the home network as it is taking form:
  • An ADSL gateway is connected to the B3
    Client computers at home are being connected to the LAN-side of the B3, wired or wireless
    One computer is a Ubuntu box with a RAID cabinet, functioning as a file server
    All other computers relevant to this post are Macs running Mac OS X
    The file server is configured to allow FTPS (port 22) and AFP (port 548)
What I want to do is to allow client computers to access the file server using the same address, no matter if they are on the home network or accessing over the internet. The Macs are the most important, but if both AFP and FTPS can be routed, that is a plus.

This is apparently possible by using rules for IPtables, but I have never used that program.

Is anyone familiar enough with IPtables to design such rules?

When it comes to FTPS, I suspect that it might need to use another port, so that 22 is still available for connecting to the B3 itself. If anyone knows how to tell the vsftpd (VFery Safe FTP Daemon in Debian) to use another port than 22, please let me know.

Thank You in advance.
Top
Gordon
Posts: 1469
Joined: 10 Aug 2011, 03:18

Re: IPtables and AFP

Post by Gordon »

Since you won't be able to route to your LAN from the internet, the common address will have to be your public IP or DNS name. When using the latter you can handle the LAN traffic by faking the DNS entry, but that can be very tricky if you also want to be able to access other servers in the same internet domain. The smart way is to do this iptables.

When connected to the LAN this will require a routeback rule:

Code: Select all

iptables -t nat -A PREROUTING -d <your_fixed_IP>/32 -i br0 -m tcp -p tcp --dport 22 -j DNAT --to-destination <ubuntu_server_IP>
When on the internet essentially the same rule applies, but in this case you must also allow forwarding:

Code: Select all

iptables -t nat -A PREROUTING -d <your_fixed_IP>/32 -i eth0 -m tcp -p tcp --dport 22 -j DNAT --to-destination <ubuntu_server_IP>

iptables -A FORWARD -d <ubuntu_server_IP>/32 -i eth0 -m tcp -p tcp --dport 22 -j ACCEPT
Top
Anders_W
Posts: 34
Joined: 13 Sep 2011, 09:22

Re: IPtables and AFP

Post by Anders_W »

Thank You for the quick and useful answer!

When it comes to AFP (Apple Filing Protocol), can I use the same rules, substituting "22" for the AFP port number?
Top
Gordon
Posts: 1469
Joined: 10 Aug 2011, 03:18

Re: IPtables and AFP

Post by Gordon »

Anders_W wrote:Thank You for the quick and useful answer!

When it comes to AFP (Apple Filing Protocol), can I use the same rules, substituting "22" for the AFP port number?
Yes: same method.

If you like you can also change the port number that should be used:
iptables -t nat -A PREROUTING -d <your_fixed_IP>/32 -i eth0 -m tcp -p tcp --dport 2222 -j DNAT --to-destination <ubuntu_server_IP>:22

iptables -A FORWARD -d <ubuntu_server_IP>/32 -i eth0 -m tcp -p tcp --dport 22 -j ACCEPT
Top
Anders_W
Posts: 34
Joined: 13 Sep 2011, 09:22

Re: IPtables and AFP

Post by Anders_W »

Oh, goodie!

I have been going through what little documentation there is for vsftpd, and there was nothing about changing ports, but this would circumvent that very nicely.

Thank You very much!
Top
Post Reply

Return to “B2 & B3 Support”