Re: iptables, ftp and dnat?

To: debian-user@lists.debian.org
Subject: Re: iptables, ftp and dnat?
From: Alex Samad <alex@samad.com.au>
Date: Sat, 6 Dec 2008 20:54:08 +1100
Message-id: <[🔎] 20081206095408.GG5128@samad.com.au>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 4939AB7B.5030806@gmail.com>
References: <[🔎] 49396673.9070908@gmail.com> <[🔎] 20081205185326.GE18045@samad.com.au> <[🔎] 4939908D.1010705@gmail.com> <[🔎] 20081205204535.GA3013@samad.com.au> <49399A76.1060900@gmail.com> <[🔎] 20081205221104.GA15844@samad.com.au> <[🔎] 4939AB7B.5030806@gmail.com>

On Fri, Dec 05, 2008 at 03:30:19PM -0700, Robert L. Harris wrote:

[snip]

> >
> >> here is another link
> >> http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again
> > google).
> >
> >
> >> My strength is in itables not ftp (which is the reason for
> > googling :) )
> >
> >> Also anything to do with iptables and firewalls you should
> > probably read
> >> a tutorial on iptables
> >
> 
>   I've read both of those and understand how the ftp works.  I've
> spent the last 2 days googling.
> Unfortunately it's all working now except how to get the iptables data
> connection in passive
> mode working.  I can log in, etc just fine but when I do a "ls" after
> issuing the "passive"
> command it times out.
> 
>   The second example looks good but doesn't handle the DNAT (the ftp
> server is running on
> another machine behind my firewall.

What I do to track down iptables problems is (if you have access to all
3 machines, client server and firewall). Dump on all 3 machines,
something like

tcpdump -pni <eth?> -s 1500 -w /tmp/trace.dmp host <client ip> and host
<server ip>

client and server ip will vary depending on which machine you are on
(natting).

Also just before the drop statement in you iptables chain, put a line
which logs the packets.

These way you can see what is going on and create some rules to fix it.

But maybe another solution is to use a ftp proxy ? (ftp-proxy) - never
used it ? to get around the active passive port problem



> 
> Robert
> 
> 
> 
> - --
> 
> :wq!
> ====================================================================
> Robert L. Harris                     | GPG Key ID: E344DA3B
>                                          @ x-hkp://pgp.mit.edu
> DISCLAIMER:
>       These are MY OPINIONS             With Dreams To Be A King,
>        ALONE.  I speak for              First One Should Be A Man
>        no-one else.                       - Manowar
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> 
> iD8DBQFJOat68+1vMONE2jsRAuFiAJ4tZUiKdn1pVMTVJooRjcpMWsHUgQCfTggd
> c08luNBZJjlIvtBgRnoR5+I=
> =ZWjq
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

-- 
Tsort's Constant:
	1.67563, or precisely 1,237.98712567 times the difference between
the distance to the sun and the weight of a small orange.
		-- Terry Pratchett, "The Light Fantastic" (slightly modified)

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>
- Re: iptables, ftp and dnat?
  - From: Alex Samad <alex@samad.com.au>
- Re: iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>
- Re: iptables, ftp and dnat?
  - From: Alex Samad <alex@samad.com.au>
- Re: iptables, ftp and dnat?
  - From: Alex Samad <alex@samad.com.au>
- Re: iptables, ftp and dnat?
  - From: "Robert L. Harris" <robert.l.harris@gmail.com>

Prev by Date: Re: sshd in Vserver not working
Next by Date: Re: sshd in Vserver not working
Previous by thread: Re: iptables, ftp and dnat?
Next by thread: Re: iptables, ftp and dnat?
Index(es):
- Date
- Thread