Re: iptables, ftp and dnat?

To: debian-user@lists.debian.org
Cc: debian-user@lists.debian.org
Subject: Re: iptables, ftp and dnat?
From: Adam Hardy <adam.ant@cyberspaceroad.com>
Date: Tue, 09 Dec 2008 11:18:11 +0000
Message-id: <[🔎] 493E53F3.3080704@cyberspaceroad.com>
In-reply-to: <[🔎] 4939908D.1010705@gmail.com>
References: <[🔎] 49396673.9070908@gmail.com> <[🔎] 20081205185326.GE18045@samad.com.au> <[🔎] 4939908D.1010705@gmail.com>

Robert L. Harris on 05/12/08 20:35, wrote:

Can I suggest something like this

# one catch all for all related and established connection # as defined
by connection tracking iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPTiptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21
 I am not sure if you need the other ports for active as the conn track
module should handle that for you (works on out going not 100% sure on
incoming). You need the forward statement you could add a -d 10.1.1.32,

because the

DNAT makes it a routed packet. you can test this with tcpdump -pni
<interface> -port 21 or host <host ip> alex




Using your rule I get this:

iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' Try `iptables
-h' or 'iptables --help' for more information.

Commenting it out, everything looks good until after I log in and try to do
an "ls" when it returns: ftp> ls 227 Entering Passive Mode
(10,1,1,32,205,208).

Then nothing.


I think Alex just forgot the '--state'. Try this:

# Allow all ESTABLISHED and RELATED
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# use this for some logging of what you drop:
iptables -A INPUT   -j LOG --log-prefix "dropped from INPUT "
iptables -A FORWARD -j LOG --log-prefix "dropped from FORWARD "

# change policies of INPUT and FORWARD to DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP

Plus I agree with Anoop about the ICMP - you don't want to drop that stuff, itwill cause chaos. Took me ages to figure it out. I use this:


# Work around for stupid websites blocking ICMP (just for normal surfing)

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS--clamp-mss-to-pmtu


# Allow ICMP for frag notification
# --icmp-type 8 = ping

iptables -t filter -A INPUT -p icmp -s 0/0 -d $ip_eth2 -m state --state NEW -jACCEPT

Reply to:

References:
- iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>
- Re: iptables, ftp and dnat?
  - From: Alex Samad <alex@samad.com.au>
- Re: iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>

Prev by Date: Dhcp and dns update
Next by Date: rendering problem with iceweasel in sid
Previous by thread: Re: iptables, ftp and dnat?
Next by thread: Re: iptables, ftp and dnat?
Index(es):
- Date
- Thread