On Fri, Dec 05, 2008 at 01:35:25PM -0700, Robert L. Harris wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Samad wrote: > > On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote: > > > > Help... I have the following in my firewall startup script: > > > > /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport > > 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A > > PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to > > 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state > > NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp > > --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES > > -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to > > 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state > > ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport > > 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT > > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j > > DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024: > > --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT > > > >> Can I suggest something like this > > > > > >> # one catch all for all related and established connection # as > >> defined by connection tracking iptables -I INPUT > >> RELATED,ESTABLISHED -j ACCEPT > > > > > >> iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j > >> ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW > >> -j ACCEPT > > > >> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to > >> 10.1.1.32:21 > > > >> I am not sure if you need the other ports for active as the conn > >> track module should handle that for you (works on out going not > >> 100% sure on incoming). > > > >> You need the forward statement you could add a -d 10.1.1.32, > > because the > >> DNAT makes it a routed packet. > > > >> you can test this with tcpdump -pni <interface> -port 21 or host > >> <host ip> > > > >> alex > > > > > > Using your rule I get this: > > iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' > Try `iptables -h' or 'iptables --help' for more information. ops early morning emailing forgot the -m state --state iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > Commenting it out, everything looks good until after I log in and try > to do an "ls" when it returns: > ftp> ls > 227 Entering Passive Mode (10,1,1,32,205,208). > > Then nothing. you can use 2 methods track it down, tcpdump on the outside and the inside interface or -j LOG statements to see what is getting drop/rejected (maybe first try again with the related/establish line working) > > > >> > - -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmaster@lists.debian.org > >> > >> > > - -- > > :wq! > ==================================================================== > Robert L. Harris | GPG Key ID: E344DA3B > @ x-hkp://pgp.mit.edu > DISCLAIMER: > These are MY OPINIONS With Dreams To Be A King, > ALONE. I speak for First One Should Be A Man > no-one else. - Manowar > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9SjAZ1hJocACgzxng > zJ1PCcrv5s6xd2nn+OIizG8= > =LYdZ > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > -- "After all, a week ago, there were -- Yasser Arafat was boarded up in his building in Ramallah, a building full of, evidently, German peace protestors and all kinds of people. They're now out. He's now free to show leadership, to lead the world." - George W. Bush 05/02/2002 Washington, DC
Attachment:
signature.asc
Description: Digital signature