[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables, gateway and hylafax



Hello,

We have got a problem to setting iptables on a gateway.
Topology :

Network with an hylafax server
A gateway on debian with 2 network cards, one on network (tr0) and the other
(eth0) on the next computer
A computer (on $ OS who want to fax)

We put ip_conn_track, and ip_conn_track_ftp on the kernel of the gateway
We can make a telnet fax_server 4559, login as user and ... nothing else

the iptables' rules :

/sbin/modprobe ip_conntrack_ftp ports=21,4558,4557,4559
/sbin/modprobe ip_nat_ftp ports=21,4558,4557,4559

iptables -A INPUT -p tcp -i eth0 --dport 4557:4559 -j ACCEPT
iptables -A INPUT -p tcp -i tr0 --dport 4557:4559 -j ACCEPT

iptables -A INPUT -p tcp --sport 4557:4559 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 4557:4559 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p tcp --sport 4557:4559 -s Faxaddr -j ACCEPT
iptables -A FORWARD -p tcp --sport 4557:4559 -s Clientaddr -j ACCEPT

iptables -A FORWARD --source Clientaddr -m multiport --protocol tcp
--dport 4557,4558,4559 -j ACCEPT
iptables -A FORWARD --source Gatewayaddr -m multiport --protocol tcp
--dport  4557,4558,4559 -j ACCEPT
iptables -A FORWARD --source Serveraddr -m multiport --protocol tcp
--dport 4557,4558,4559 -j ACCEPT

iptables -A FORWARD -m multiport --protocol tcp --dport 4557,4558,4559 -j
ACCEPT
iptables -A FORWARD -m multiport -m state --state RELATED,ESTABLISHED -j
ACCEPT

iptables -A INPUT -p tcp --sport 4557:4559 -j ACCEPT
iptables -A INPUT -p tcp --dport 4557:4559 -j ACCEPT
iptables -A INPUT -m multiport --protocol tcp --sport 4557,4558,4559 -j ACCEPT

iptables -A OUTPUT -p tcp -o eth0 --sport 4557:4559 -j ACCEPT
iptables -A OUTPUT -p tcp -o tr0 --sport 4557:4559 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 4557:4559 -j DNAT
--to-destination Serveraddr
iptables -t nat -A PREROUTING -p tcp --sport 4557:4559 -j DNAT
--to-destination Clientaddr

If you have advice ...

David Dumortier
dudumortier@wanadoo.fr



Reply to: