RE: [expert] Iptables

[Gregor Maier]

On 11-Jul-2001 Orlando Reis wrote:
> Hi was wondering if someone can give me some help
> with a problem i'm having with iptables. I wan't to allow
> people to connect to an internal ftp server.
> But some how it doesn't work.
> These are rules I' using for doing the job:
> 
> $IPTABLES -A tcp_allowed -p TCP -i $EXTERNAL_ETH0 --dport 21 -j ACCEPT
> $IPTABLES -A tcp_allowed -p TCP -i $EXTERNAL_ETH0 --dport 20 -j ACCEPT
> 
> $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 21 -j DNAT
> --to $INTERNAL_FTP:21
> $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_ETH0 -s $INTERNAL_FTP -j SNAT
> --to $EXTERNAL_IP

You must also allow packages with sourceport 20, 21 (ftp-data and ftp). Since
the every packages the server sends has the source port ftp. Same for ftp-data
(but this time it's the clients side).
In your configuration the client can send packages to the server but the
firewall blocks all responses from that server.


$IPTABLES -A tcp_allowed_in -p TCP -i $EXTERNAL_ETH0 --dport 21 -j ACCEPT
$IPTABLES -A tcp_allowed_in -p TCP -i $EXTERNAL_ETH0 --sport 20 -j ACCEPT

$IPTABLES -A tcp_allowed_out -p TCP -o $EXTERNAL_ETH0 --sport 21 -j ACCEPT
$IPTABLES -A tcp_allowed_out -p TCP -o $EXTERNAL_ETH0 --dport 20 -j ACCEPT

allpy tcp_allowd_in to INPUT chain and tcp_allowed_out to OUTPUT chain

> The clients can't even connect.
> 
> I do an ftp from an external machine with no nat(i.e.), a public ip.
> and nothing happends.
> 
> Orlando
> ---
> 
> 

----------------------------------
E-Mail: Gregor Maier <[EMAIL PROTECTED]>
Date: 12-Jul-2001
Time: 09:30:49
----------------------------------