Ben, thanks very much for the comments. > I have never seen .XXX.XXX notation? Have you tried 219.105.0.0/16 > instead? And I have another question, is eth0 your internet facing > interface? And is eth1 your internal interface? I am sorry and the XXX.XXX was be used to hide my ip address. and, as you say, eth0 is the internet interface and eth1 is the home-lan interface. > The FTP thing won't work the way you are describing it. FTP > requires 2 tcp connections, and I don't know how that is going to work on > non-standard ports with NAT like this.... Yes it is. In fact, my target is simple, it is: Create a FTP-SERVER behind the iptables firewall. because I can only get 1ip (it is for the firewall) so I have to change the ftp packets from the firewall to the ftp-server. I changed my rules and let it working at the standard FTP port, it is running well now. The reason of non-standard ports error maybe at the ip_nat_ftp or the ip_conntrack_ftp module. I am asking this at the Iptables/Netfilter mailing-list now. > You might already know this, and are just showing an example.... > But this firewall/router config is really bad security-wise. > If you didn't already know that you should either do a lot of reading > or contact your local LUG group and ask someone to help you set up > an Internet Firewall/Gateway. Thanks your suggestion. Rai. > -----Original Message----- > From: Ben Russo [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 10, 2002 11:29 PM > To: [EMAIL PROTECTED] > Subject: Re: FTP trouble at the iptables firewall of the Redhat Linux. > > > Wow, how complicated. > > Seems like you could just set your INPUT and FORWARD default policies > to ACCEPT. I mean you ACCEPT everything NEW, RELATED, ESTABLISHED > both in INPUT, and in FORWARD. > > The only thing you are doing is protecting yourself from scans with > invalid TCP/IP flag combinations. > > I have never seen .XXX.XXX notation? Have you tried 219.105.0.0/16 > instead? And I have another question, is eth0 your internet facing > interface? And is eth1 your internal interface? > > You don't need the PASS table or the PASS jump since you are allowing > all forwards anyway. > > So what we are left with is: > ############################## > iptables -F > iptables -F -t nat > > iptables -t nat -A PREROUTING -i eth0 -d 219.105.0.0/16 -p tcp --dport > 10023 -j DNAT --to-destination 192.168.0.128:23 > > # I am not including the FTP stuff because it won't work the > # way you want. > > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE > > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > ################################ > > The FTP thing won't work the way you are describing it. FTP > requires 2 > tcp connections, and I don't know how that is going to work on > non-standard ports with NAT like this.... > > Anyway, if I were you I wouldn't allow telnet or ftp through from the > internet. Install SSHD on your box and allow that instead. (set it up > on a non-standard port). > > You might already know this, and are just showing an example.... > But this firewall/router config is really bad security-wise. > If you didn't already know that you should either do a lot of reading > or contact your local LUG group and ask someone to help you set up > an Internet Firewall/Gateway. > > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
