7

I have a VMware: 10.10.10.1, a linux in VMware (Guest): 10.10.10.128 and a honeypot on Guest: 10.10.10.15, and my Windows (Host): 192.168.1.11. I can send FTP requests directly from my Host to honeypot and the connection is established. Now I want to send FTP requests to Guest and these forward to my honeypot. I put these rules in iptables on Guest:

iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 10.10.10.15:21
iptables -t nat -A POSTROUTING -p tcp -s 10.10.10.15 --sport 21 -j SNAT --to-source 10.10.10.128
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

But I cannot get the desired result. What can I do?

Note: When the honeypot is running, I can ping it from the Host, but I cannot ping it from the Guest and the result is:

Destination Host Unreachable

Where is my wrong?

ThisIsMe
  • 73
  • 1
  • 7
  • What exactly is the result at the moment? Wrong site, no connection? Do you have enabled IP forwarding? `echo 1 > /proc/sys/net/ipv4/ip_forward`. – Thomas Dec 25 '16 at 18:12
  • Yes, I enabled ip forwarding. The result is FTP Connection Refused. I also open FTP port of the Guest. But when I try to nmap guest, result is all ports are closed! @Thomas – ThisIsMe Dec 25 '16 at 18:28
  • Hm, just tested in a VM environment and the iptables rules did work for me. I tested with a port 80 redirection. Is the `eth0` interface the correct one? Nowadays you also might have e.g. `ens0` or similar. You also could try `iptables -t nat -A POSTROUTING -j MASQUERADE` instead. – Thomas Dec 25 '16 at 18:55
  • Yes, the interface is eth0. – ThisIsMe Dec 25 '16 at 19:03
  • Could you explain what do you do that works to you? What is 'nmap YOUR_GUEST_IP' result? – ThisIsMe Dec 25 '16 at 19:09
  • `nmap` shows me that the port 80 is opened. – Thomas Dec 25 '16 at 19:15
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/50691/discussion-between-thisisme-and-thomas). – ThisIsMe Dec 25 '16 at 19:18
  • You've to find out what's going on with the traffic. So, for example, run `tcpdump -i eth0 port 21`. – gxx Dec 26 '16 at 17:30
  • I tried it, but couldn't help me. Also I updated my post. see again, pls. Tnx @gf_ – ThisIsMe Dec 28 '16 at 14:00

1 Answers1

1

If you want to forward FTP request, you cant just forward port 21. FTP use 2 or more connections:

  • 1 connection to send command, on port 21
  • 1 or more connections on variable port number determined by the FTP server to transfer the data

So, if you wan to forward FTP connections, you need to look in your server configuration to check the port range that the FTP server will use to accept client connections (assuming your client connect to the FTP server in "passive mode").
So you need to forward port 21 + all the port defined in the "passive port" range.

But this is not enough, because it's the FTP server that instruct the FTP client on which IP to contact to open the data transmission connection, and usually this is the server IP.
The FTP server has no knowledge of the server you are using to forward the connection.

So you should also tell to your FTP server that his "public IP" is not the IP of the FTP server, but the IP of the server that will accept (and forward) the FTP connection from the client.

Max
  • 153
  • 2
  • 7
  • When I open FTP port in the Guest, I can connect it via the Host. But when I run honeypot and set rules of iptables, I cannot connect. Can U answer my Note question? I think just this can solve my problem. – ThisIsMe Dec 28 '16 at 17:21
  • @ThisIsMe sorry, I'm not expert about linux or iptables, to me it just looked like the main issue was about how FTP works. If the FTP client use passive mode, you cant have a working FTP server by just forwarding a single TCP port. – Max Dec 28 '16 at 20:21