Re: iptables, ftp and dnat?

To: "Robert L. Harris" <robert.l.harris@gmail.com>
Cc: Debian Users <debian-user@lists.debian.org>
Subject: Re: iptables, ftp and dnat?
From: Alex Samad <alex@samad.com.au>
Date: Sat, 6 Dec 2008 09:11:04 +1100
Message-id: <[🔎] 20081205221104.GA15844@samad.com.au>
Mail-followup-to: "Robert L. Harris" <robert.l.harris@gmail.com>, Debian Users <debian-user@lists.debian.org>
In-reply-to: <49399A76.1060900@gmail.com>
References: <[🔎] 49396673.9070908@gmail.com> <[🔎] 20081205185326.GE18045@samad.com.au> <[🔎] 4939908D.1010705@gmail.com> <[🔎] 20081205204535.GA3013@samad.com.au> <49399A76.1060900@gmail.com>

Hi

You should try and keep this on list


Alex


On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 

[snip]

> 
> I've updated my rules to this:
> #  # allow ftpd
>   HARVARD="10.1.1.32"
>   /sbin/modprobe nf_conntrack_ftp
>   # General
>   iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>   iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
>   iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT
>   iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> 10.1.1.32:21
> 
> I think I confused myself though,  do I need the other rules I had for
> port 20 or will the first INPUT rule
> above cover that?

have a look here http://slacksite.com/other/ftp.html (quick google on
ftp & ports).

It shows you how the ports are used for ftp.

The ftp contrack module that you where loading previous should handle
the "related" ports and allow them through, what I am not sure about is
weather it will handle the dnat'ing of those port.  But then again you
could specify passive ftp only

here is another link
http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again google).


My strength is in itables not ftp (which is the reason for googling :) )

Also anything to do with iptables and firewalls you should probably read
a tutorial on iptables


> 
> Thank you for your help,  I've not done anything this complex with
> iptables before.
> 
> Robert
> 
> 
> :wq!
> ====================================================================
> Robert L. Harris                     | GPG Key ID: E344DA3B
>                                          @ x-hkp://pgp.mit.edu
> DISCLAIMER:
>       These are MY OPINIONS             With Dreams To Be A King,
>        ALONE.  I speak for              First One Should Be A Man
>        no-one else.                       - Manowar
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> 
> iD8DBQFJOZp28+1vMONE2jsRAgqcAJoD1OSBDcvPq2K7GL6Ym4xHBDRaNQCgo8WJ
> ExmTlAt0/odRCTgtkimlF/E=
> =TiTI
> -----END PGP SIGNATURE-----
> 
> 

-- 
"Obviously, I pray every day there's less casualty."

	- George W. Bush
04/11/2004
Fort Hood, TX

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>

References:
- iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>
- Re: iptables, ftp and dnat?
  - From: Alex Samad <alex@samad.com.au>
- Re: iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>
- Re: iptables, ftp and dnat?
  - From: Alex Samad <alex@samad.com.au>

Prev by Date: Re: unbootable system after fresh 4.0r5 installation
Next by Date: Re: unbootable system after fresh 4.0r5 installation
Previous by thread: Re: iptables, ftp and dnat?
Next by thread: Re: iptables, ftp and dnat?
Index(es):
- Date
- Thread