-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Alex Samad wrote: > On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote: > > Help... I have the following in my firewall startup script: > > /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport > 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A > PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to > 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state > NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp > --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES > -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to > 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state > ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport > 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j > DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024: > --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT > >> Can I suggest something like this > > >> # one catch all for all related and established connection # as >> defined by connection tracking iptables -I INPUT >> RELATED,ESTABLISHED -j ACCEPT > > >> iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j >> ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW >> -j ACCEPT > >> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to >> 10.1.1.32:21 > >> I am not sure if you need the other ports for active as the conn >> track module should handle that for you (works on out going not >> 100% sure on incoming). > >> You need the forward statement you could add a -d 10.1.1.32, > because the >> DNAT makes it a routed packet. > >> you can test this with tcpdump -pni <interface> -port 21 or host >> <host ip> > >> alex > Using your rule I get this: iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' Try `iptables -h' or 'iptables --help' for more information. Commenting it out, everything looks good until after I log in and try to do an "ls" when it returns: ftp> ls 227 Entering Passive Mode (10,1,1,32,205,208). Then nothing. >> - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >> >> - -- :wq! ==================================================================== Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9SjAZ1hJocACgzxng zJ1PCcrv5s6xd2nn+OIizG8= =LYdZ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]