Wow, how complicated. Seems like you could just set your INPUT and FORWARD default policies to ACCEPT. I mean you ACCEPT everything NEW, RELATED, ESTABLISHED both in INPUT, and in FORWARD.
The only thing you are doing is protecting yourself from scans with invalid TCP/IP flag combinations. I have never seen .XXX.XXX notation? Have you tried 219.105.0.0/16 instead? And I have another question, is eth0 your internet facing interface? And is eth1 your internal interface? You don't need the PASS table or the PASS jump since you are allowing all forwards anyway. So what we are left with is: ############################## iptables -F iptables -F -t nat iptables -t nat -A PREROUTING -i eth0 -d 219.105.0.0/16 -p tcp --dport 10023 -j DNAT --to-destination 192.168.0.128:23 # I am not including the FTP stuff because it won't work the # way you want. iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ################################ The FTP thing won't work the way you are describing it. FTP requires 2 tcp connections, and I don't know how that is going to work on non-standard ports with NAT like this.... Anyway, if I were you I wouldn't allow telnet or ftp through from the internet. Install SSHD on your box and allow that instead. (set it up on a non-standard port). You might already know this, and are just showing an example.... But this firewall/router config is really bad security-wise. If you didn't already know that you should either do a lot of reading or contact your local LUG group and ask someone to help you set up an Internet Firewall/Gateway. On Mon, 2002-12-09 at 20:15, Rai Ou wrote: > My gateway(firewall) is Redhat Linux 7.1 and I can only get 1 dynamic ip > from my provider. > So I create the IP-MASQURADE using iptables for my home-lan. > > My target is "creating a FTP server at one of my home-lan machine(Redhat > 7.2)". but now > I found it can be run as a FTP client but can't be run as a FTP server for > the Data Connection Error. > > I know the FTP protocol need 2 connections (Control connectin & Data > connection) so I loaded this > modules at my firewall linux box: > ---------------------------------------------------------- > ip_nat_irc 4320 0 (unused) > ip_nat_ftp 3760 0 (unused) > ip_conntrack_irc 3040 0 (unused) > ip_conntrack_ftp 2480 0 (unused) > ipt_MASQUERADE 1712 1 (autoclean) > ipt_state 1200 3 (autoclean) > iptable_nat 16160 2 (autoclean) [ip_nat_irc ip_nat_ftp > ipt_MASQUERADE] > ip_conntrack 15824 4 (autoclean) [ip_nat_irc ip_nat_ftp > ip_conntrack_irc ip_conntrack_ftp > ipt_MASQUERADE ipt_state iptable_nat] > iptable_filter 2304 0 (autoclean) (unused) > ip_tables 11072 6 [ipt_MASQUERADE ipt_state iptable_nat > iptable_filter] > --------------------------------------------------------- > > and let me attache my firewall setting here: > #------------------------------- > # default INPUT/FORWARD policy > #------------------------------- > iptables -P INPUT DROP > iptables -P FORWARD DROP > #--------------------- > # clear the chains > #--------------------- > iptables -F > iptables -F -t nat > iptables -X > iptables -X -t nat > #--------------------- > # make rule & chains > #--------------------- > # Difene the default INPUT/FORWARD rule. > iptables -N default > iptables -A default -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A default -m state --state NEW -i eth0 -j ACCEPT > iptables -A default -m state --state NEW -i ! eth0 -j ACCEPT > iptables -A default -j DROP > # Use the defaule rule to the INPUT/FORWARD chains. > iptables -A INPUT -j default > iptables -A FORWARD -j default > > # Defile the pass chain and insert it to the FORWARD. > # - telnet - > iptables -t nat -A PREROUTING -i eth0 -d 219.105.XXX.XXX -p tcp --dport > 10023 > -j DNAT --to 192.168.0.128:23 > # - ftp - > iptables -t nat -A PREROUTING -i eth0 -d 219.105.XXX.XXX -p tcp --dport > 10021 > -j DNAT --to 192.168.0.128:21 > iptables -N pass > iptables -A pass -d 192.168.0.128 -p tcp --dport 23 -j ACCEPT > iptables -A pass -d 192.168.0.128 -p tcp --dport 21 -j ACCEPT > iptables -I FORWARD 1 -j pass > > # Using the ipMASQUERADE at the POSTROUTING chain. > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > Now I want to know the reason of why I can't make the FTP data connection to > the home-lan FTP Server. or...... maybe it is the Impossible mission ??? > > Rai > > > > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
