Re: iptables, ftp and dnat?

To: debian-user@lists.debian.org
Subject: Re: iptables, ftp and dnat?
From: Alex Samad <alex@samad.com.au>
Date: Sat, 6 Dec 2008 05:53:26 +1100
Message-id: <[🔎] 20081205185326.GE18045@samad.com.au>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 49396673.9070908@gmail.com>
References: <[🔎] 49396673.9070908@gmail.com>

On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Help...   I have the following in my firewall startup script:
> 
>   /sbin/modprobe nf_conntrack_ftp
>   $IPTABLES -A INPUT -p tcp --dport 21 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>   $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT
> - --to 10.1.1.32:21
>   $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>   # Active
>   $IPTABLES -A INPUT -p tcp --sport 20 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>   $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT
> - --to 10.1.1.32:20
>   $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED
> - -j ACCEPT
>   # Passive
>   $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state
> - --state ESTABLISHED -j ACCEPT
>   $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j
> DNAT --to 10.1.1.32
>   $IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state
> - --state ESTABLISHED,RELATED -j ACCEPT

Can I suggest something like this


# one catch all for all related and established connection 
# as defined by connection tracking 
iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT


iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
10.1.1.32:21

I am not sure if you need the other ports for active as the conn track
module should handle that for you (works on out going not 100% sure on
incoming).

You need the forward statement you could add a -d 10.1.1.32, because the
DNAT makes it a routed packet.

you can test this with tcpdump -pni <interface> -port 21 or host <host
ip>

alex

> 
> I am trying to forward public internet ftp traffic to a machine behind
> my firewall.   Anyone have
> this working?  Mine is failing and I have no real debug info to
> explain why....
> 
> Robert
> 
> - --
> 
> :wq!
> ====================================================================
> Robert L. Harris                     | GPG Key ID: E344DA3B
>                                          @ x-hkp://pgp.mit.edu
> DISCLAIMER:
>       These are MY OPINIONS             With Dreams To Be A King,
>        ALONE.  I speak for              First One Should Be A Man
>        no-one else.                       - Manowar
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> 
> iD8DBQFJOWZz8+1vMONE2jsRAiGhAKDegPgFRU+X7CDblJAvkPIemPHu7ACgwJo3
> 8K6ABSfK+3JJIgFEbK2IsxA=
> =kAMe
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

-- 
Darth Vader sleeps with a Teddywookie.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>

References:
- iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>

Prev by Date: Re: software raid 1: how to remove a UUID from a device?
Next by Date: Re: unbootable system after fresh 4.0r5 installation
Previous by thread: Re: iptables, ftp and dnat?
Next by thread: Re: iptables, ftp and dnat?
Index(es):
- Date
- Thread