[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables, ftp and dnat?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Alex Samad wrote:
> Hi
>
> You should try and keep this on list

Sorry, hit reply instead of reply all.

>
>
> Alex
>
>
> On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote:
>
>
>
>> [snip]
>
> I've updated my rules to this: #  # allow ftpd HARVARD="10.1.1.32"
> /sbin/modprobe nf_conntrack_ftp # General iptables -I INPUT -m
> state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p
> tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD
> -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A
> PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21
>
> I think I confused myself though,  do I need the other rules I had
> for port 20 or will the first INPUT rule above cover that?
>
>> have a look here http://slacksite.com/other/ftp.html (quick
>> google on ftp & ports).
>
>> It shows you how the ports are used for ftp.
>
>> The ftp contrack module that you where loading previous should
>> handle the "related" ports and allow them through, what I am not
>> sure
> about is
>> weather it will handle the dnat'ing of those port.  But then
>> again you could specify passive ftp only
>
>> here is another link
>> http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again
> google).
>
>
>> My strength is in itables not ftp (which is the reason for
> googling :) )
>
>> Also anything to do with iptables and firewalls you should
> probably read
>> a tutorial on iptables
>

  I've read both of those and understand how the ftp works.  I've
spent the last 2 days googling.
Unfortunately it's all working now except how to get the iptables data
connection in passive
mode working.  I can log in, etc just fine but when I do a "ls" after
issuing the "passive"
command it times out.

  The second example looks good but doesn't handle the DNAT (the ftp
server is running on
another machine behind my firewall.

Robert



- --

:wq!
====================================================================
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for              First One Should Be A Man
       no-one else.                       - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJOat68+1vMONE2jsRAuFiAJ4tZUiKdn1pVMTVJooRjcpMWsHUgQCfTggd
c08luNBZJjlIvtBgRnoR5+I=
=ZWjq
-----END PGP SIGNATURE-----


Reply to: