Re: Iptables and FTP problem
Mahdi Rahimi a écrit :
My NAT(PREROUTING) and Filter table default Policy is DROP.
Bad idea. The nat table is not intended for filtering. Just leave the
nat table chains default policies to ACCEPT, and do the filtering in the
filter table chains.
hello I have problem in our clients's outside ftp access via debian.
My LAN users can't start data transfer to outside FTP servers, but they
can establish connection to port 21 on the outside ftp server.
I want to my LAN users use ftp clinets in ACTIVE mode.
-A PREROUTING -i $LAN -s 192.168.1.0/26 -p tcp -m multiport --dport 21
As I said above, the nat table is not intended for filtering, and it is
a bad idea to filter in the nat table.
-A POSTROUTING -s 192.168.1.0/26 -d 0/0 -o eth1 -j MASQUERADE
-A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
ESTABLISHED,RELATED -j ACCEPT
modprobe ip_conntrack_ftp , ip_conntrack, ip_nat_ftp
In order for active FTP transfers to work, you need to :
- accept the control connection (port 21) NEW and ESTABLISHED packets
from inside to outside ; OK, done in the first rule in FORWARD ;
- accept the control connection ESTABLISHED packets from outside to
inside ; OK, done in the second FORWARD rule ;
- accept the data connection RELATED and ESTABLISHED packets from
outside to inside ; KO, not done in either rule ;
- accept the data connection (port != 21) ESTABLISHED packets from
inside to outside ; KO, not done in either rule.
-A FORWARD -i $EXT -o $LAN -m state --state ESTABLISHED,RELATED \
-p tcp -j ACCEPT
alone won't solve the problem because it accepts only data connection
packets from outside to inside ; packets from inside to outside are
still dropped. So you also need something like
-A FORWARD -o $EXT -i $LAN -m state --state ESTABLISHED \
-p tcp -j ACCEPT