Re: iptables, ftp and dnat?

To: debian-user@lists.debian.org
Subject: Re: iptables, ftp and dnat?
From: "Robert L. Harris" <robert.l.harris@gmail.com>
Date: Fri, 05 Dec 2008 13:35:25 -0700
Message-id: <[🔎] 4939908D.1010705@gmail.com>
In-reply-to: <[🔎] 20081205185326.GE18045@samad.com.au>
References: <[🔎] 49396673.9070908@gmail.com> <[🔎] 20081205185326.GE18045@samad.com.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Alex Samad wrote:
> On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote:
>
> Help...   I have the following in my firewall startup script:
>
> /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport
> 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A
> PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to
> 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state
>  NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp
> --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES
> -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to
> 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state
> ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport
> 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j
> DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024:
> --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>> Can I suggest something like this
>
>
>> # one catch all for all related and established connection # as
>> defined by connection tracking iptables -I INPUT
>> RELATED,ESTABLISHED -j ACCEPT
>
>
>> iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j
>> ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW
>> -j ACCEPT
>
>> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
>> 10.1.1.32:21
>
>> I am not sure if you need the other ports for active as the conn
>> track module should handle that for you (works on out going not
>> 100% sure on incoming).
>
>> You need the forward statement you could add a -d 10.1.1.32,
> because the
>> DNAT makes it a routed packet.
>
>> you can test this with tcpdump -pni <interface> -port 21 or host
>> <host ip>
>
>> alex
>



Using your rule I get this:

iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED'
Try `iptables -h' or 'iptables --help' for more information.

Commenting it out, everything looks good until after I log in and try
to do an "ls" when it returns:
ftp> ls
227 Entering Passive Mode (10,1,1,32,205,208).

Then nothing.


>>
- --
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>>
>>

- --

:wq!
====================================================================
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for              First One Should Be A Man
       no-one else.                       - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9SjAZ1hJocACgzxng
zJ1PCcrv5s6xd2nn+OIizG8=
=LYdZ
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: iptables, ftp and dnat?
  - From: Alex Samad <alex@samad.com.au>
- Re: iptables, ftp and dnat?
  - From: Adam Hardy <adam.ant@cyberspaceroad.com>

References:
- iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>
- Re: iptables, ftp and dnat?
  - From: Alex Samad <alex@samad.com.au>

Prev by Date: Re: Record or Download RTMPT Stream
Next by Date: Re: software raid 1: how to remove a UUID from a device?
Previous by thread: Re: iptables, ftp and dnat?
Next by thread: Re: iptables, ftp and dnat?
Index(es):
- Date
- Thread