On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Help... I have the following in my firewall startup script: > > /sbin/modprobe nf_conntrack_ftp > $IPTABLES -A INPUT -p tcp --dport 21 -m state --state > NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT > - --to 10.1.1.32:21 > $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state > NEW,ESTABLISHED -j ACCEPT > # Active > $IPTABLES -A INPUT -p tcp --sport 20 -m state --state > ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT > - --to 10.1.1.32:20 > $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED > - -j ACCEPT > # Passive > $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state > - --state ESTABLISHED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j > DNAT --to 10.1.1.32 > $IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state > - --state ESTABLISHED,RELATED -j ACCEPT
Can I suggest something like this # one catch all for all related and established connection # as defined by connection tracking iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21 I am not sure if you need the other ports for active as the conn track module should handle that for you (works on out going not 100% sure on incoming). You need the forward statement you could add a -d 10.1.1.32, because the DNAT makes it a routed packet. you can test this with tcpdump -pni <interface> -port 21 or host <host ip> alex > > I am trying to forward public internet ftp traffic to a machine behind > my firewall. Anyone have > this working? Mine is failing and I have no real debug info to > explain why.... > > Robert > > - -- > > :wq! > ==================================================================== > Robert L. Harris | GPG Key ID: E344DA3B > @ x-hkp://pgp.mit.edu > DISCLAIMER: > These are MY OPINIONS With Dreams To Be A King, > ALONE. I speak for First One Should Be A Man > no-one else. - Manowar > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iD8DBQFJOWZz8+1vMONE2jsRAiGhAKDegPgFRU+X7CDblJAvkPIemPHu7ACgwJo3 > 8K6ABSfK+3JJIgFEbK2IsxA= > =kAMe > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Darth Vader sleeps with a Teddywookie.
signature.asc
Description: Digital signature
