iptables, gateway and hylafax
Hello,
We have got a problem to setting iptables on a gateway.
Topology :
Network with an hylafax server
A gateway on debian with 2 network cards, one on network (tr0) and the other
(eth0) on the next computer
A computer (on $ OS who want to fax)
We put ip_conn_track, and ip_conn_track_ftp on the kernel of the gateway
We can make a telnet fax_server 4559, login as user and ... nothing else
the iptables' rules :
/sbin/modprobe ip_conntrack_ftp ports=21,4558,4557,4559
/sbin/modprobe ip_nat_ftp ports=21,4558,4557,4559
iptables -A INPUT -p tcp -i eth0 --dport 4557:4559 -j ACCEPT
iptables -A INPUT -p tcp -i tr0 --dport 4557:4559 -j ACCEPT
iptables -A INPUT -p tcp --sport 4557:4559 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 4557:4559 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 4557:4559 -s Faxaddr -j ACCEPT
iptables -A FORWARD -p tcp --sport 4557:4559 -s Clientaddr -j ACCEPT
iptables -A FORWARD --source Clientaddr -m multiport --protocol tcp
--dport 4557,4558,4559 -j ACCEPT
iptables -A FORWARD --source Gatewayaddr -m multiport --protocol tcp
--dport 4557,4558,4559 -j ACCEPT
iptables -A FORWARD --source Serveraddr -m multiport --protocol tcp
--dport 4557,4558,4559 -j ACCEPT
iptables -A FORWARD -m multiport --protocol tcp --dport 4557,4558,4559 -j
ACCEPT
iptables -A FORWARD -m multiport -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -A INPUT -p tcp --sport 4557:4559 -j ACCEPT
iptables -A INPUT -p tcp --dport 4557:4559 -j ACCEPT
iptables -A INPUT -m multiport --protocol tcp --sport 4557,4558,4559 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 4557:4559 -j ACCEPT
iptables -A OUTPUT -p tcp -o tr0 --sport 4557:4559 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 4557:4559 -j DNAT
--to-destination Serveraddr
iptables -t nat -A PREROUTING -p tcp --sport 4557:4559 -j DNAT
--to-destination Clientaddr
If you have advice ...
David Dumortier
dudumortier@wanadoo.fr
Reply to: