[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables, gateway and hylafax

Jeez everything is set to accept!

Replying to the message sent by David Dumortier  on Mon, 26 May 2003 14:30:13 +0200, received at 17:08:23 on 26/05/2003. David Dumortier wrote:
>We have got a problem to setting iptables on a gateway.
>Topology :
>Network with an hylafax server A gateway on debian with 2 network
>cards, one on network (tr0) and the other (eth0) on the next
>computer A computer (on $ OS who want to fax)
>We put ip_conn_track, and ip_conn_track_ftp on the kernel of the
>gateway We can make a telnet fax_server 4559, login as user and ...
>nothing else
>the iptables' rules :
>/sbin/modprobe ip_conntrack_ftp ports=21,4558,4557,4559
>/sbin/modprobe ip_nat_ftp ports=21,4558,4557,4559
>iptables -A INPUT -p tcp -i eth0 --dport 4557:4559 -j ACCEPT
>iptables -A INPUT -p tcp -i tr0 --dport 4557:4559 -j ACCEPT
>iptables -A INPUT -p tcp --sport 4557:4559 -m state --state
>NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 1024:
>--dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A
>OUTPUT -p tcp --sport 4557:4559 -m state --state NEW,ESTABLISHED -j
>ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m
>iptables -A FORWARD -p tcp --sport 4557:4559 -s Faxaddr -j ACCEPT
>iptables -A FORWARD -p tcp --sport 4557:4559 -s Clientaddr -j ACCEPT
> iptables -A FORWARD --source Clientaddr -m multiport --protocol tcp
>--dport 4557,4558,4559 -j ACCEPT iptables -A FORWARD --source
>Gatewayaddr -m multiport --protocol tcp --dport  4557,4558,4559 -j
>ACCEPT iptables -A FORWARD --source Serveraddr -m multiport
>--protocol tcp --dport 4557,4558,4559 -j ACCEPT
>iptables -A FORWARD -m multiport --protocol tcp --dport
>4557,4558,4559 -j ACCEPT iptables -A FORWARD -m multiport -m state
>iptables -A INPUT -p tcp --sport 4557:4559 -j ACCEPT iptables -A
>INPUT -p tcp --dport 4557:4559 -j ACCEPT iptables -A INPUT -m
>multiport --protocol tcp --sport 4557,4558,4559 -j ACCEPT
>iptables -A OUTPUT -p tcp -o eth0 --sport 4557:4559 -j ACCEPT
>iptables -A OUTPUT -p tcp -o tr0 --sport 4557:4559 -j ACCEPT
>iptables -t nat -A PREROUTING -p tcp --dport 4557:4559 -j DNAT --to-
>destination Serveraddr iptables -t nat -A PREROUTING -p tcp --sport
>4557:4559 -j DNAT --to-destination Clientaddr
>If you have advice ...
>David Dumortier dudumortier@wanadoo.fr

Reply to: