Re: Re[1] Ftp, Iptables and masquerade

To: fr ml <frml2@caramail.com>
Cc: Sebastiaan <S.Breedveld@ITS.TUDelft.NL>, debian-firewall@lists.debian.org
Subject: Re: Re[1] Ftp, Iptables and masquerade
From: Sebastiaan <S.Breedveld@ITS.TUDelft.NL>
Date: Fri, 13 Jul 2001 14:43:57 +0200 (METDST)
Message-id: <[🔎] Pine.HPP.3.95.1010713143645.28203A-100000@elektron.its.tudelft.nl>
In-reply-to: <995022123004038@caramail.com>

Hi,

I would not know if it is the same. I insmodded the whole bunch of
netfilter modules, then I run the following to enable masquarading (from
iptables howto):
# Load the NAT module (this pulls in all the others).
    modprobe iptable_nat

    # In the NAT table (-t nat), Append a rule (-A) after routing
    # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
    # MASQUERADE the connection (-j MASQUERADE).
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

    # Turn on IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

worked fine for me. It seems that you need at least the modules:
ip_tables
ip_conntrack
ip_conntrack_ftp
iptable_nat
ip_nat_ftp

I would not know what could be wrong if this bare bones configuration does
not work, but then, I am no expert. Does the other IP traffic like http or
telnet work?

Greetz,
Sebastiaan




On Fri, 13 Jul 2001, fr ml wrote:

> True, I have module ftp contrack & ftp nat module available
> with auto-load, and my problem is only with active ftp.
> Martin's answer was about a similar question I think
> 
> But, what I saw, is that the module ftp_conntrack is up
> when I use the state option, but not the nat ftp module !
> I've launch it manualy with insmod, the result is the same !
> 
> So one, is there any special option to activate the nat_ftp
> module ? On ipchains, the module was ip_ftp_masq, is the
> module ip_nat_ftp on iptables doing the same thing ?
> i.e. masquerade active ftp session for outgoing tcp packet
> on port 21 (the reply Ip @ is in the tcp data and not in the
> tcp header)
> 
> > De : Sebastiaan <S.Breedveld@ITS.TUDelft.NL>
> > Date : 13/07/2001 10:19:28
> >
> > On Fri, 13 Jul 2001, fr ml wrote:
> >
> > >
> > > Hello,
> > >
> > > I've tried to masquerade my private Lan from the
> outside,
> > > but I've got problems for ftp (port 21).
> > >
> > > At first, I've tried such a rule (where eth0 is private
> and
> > > eth1 public):
> > > iptables -t nat -A POSTROUTING -o eth1 -s private_lan
> > > -d 0.0.0.0/0 -p tcp -m state
> > > --state NEW,ESTABLISHED,RELATED -j MASQUERADE
> > >
> > >
> > > with no success, the packet send are quite masquerade,
> but
> > > the reply are still using the original non-masquerade ip
> > > address.
> > >
> > Hello,
> >
> > why do you not use the ftp modules ip_conntrack_ftp.o and
> ip_nat_ftp.o?
> > They come with the netfilter options in the kernel. Works
> fine.
> >
> > Greetz,
> > Sebastiaan
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-firewall-
> request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
> >
> >
> ______________________________________________________
> Boîte aux lettres - Caramail - http://www.caramail.com
> 
>

Reply to:

Prev by Date: Re: help for a newbie
Next by Date: Re: Will access an sqlnet with ip_masq
Previous by thread: Re: Ftp, Iptables and masquerade
Next by thread: Re[1] Re[1] Ftp, Iptables and masquerade
Index(es):
- Date
- Thread