Thanks it worked.
Orlando
On Thu, 12 Jul 2001, Gregor Maier wrote:
>
> On 11-Jul-2001 Orlando Reis wrote:
> > Hi was wondering if someone can give me some help
> > with a problem i'm having with iptables. I wan't to allow
> > people to connect to an internal ftp server.
> > But some how it doesn't work.
> > These are rules I' using for doing the job:
> >
> > $IPTABLES -A tcp_allowed -p TCP -i $EXTERNAL_ETH0 --dport 21 -j ACCEPT
> > $IPTABLES -A tcp_allowed -p TCP -i $EXTERNAL_ETH0 --dport 20 -j ACCEPT
> >
> > $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 21 -j DNAT
> > --to $INTERNAL_FTP:21
> > $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_ETH0 -s $INTERNAL_FTP -j SNAT
> > --to $EXTERNAL_IP
>
> You must also allow packages with sourceport 20, 21 (ftp-data and ftp). Since
> the every packages the server sends has the source port ftp. Same for ftp-data
> (but this time it's the clients side).
> In your configuration the client can send packages to the server but the
> firewall blocks all responses from that server.
>
>
> $IPTABLES -A tcp_allowed_in -p TCP -i $EXTERNAL_ETH0 --dport 21 -j ACCEPT
> $IPTABLES -A tcp_allowed_in -p TCP -i $EXTERNAL_ETH0 --sport 20 -j ACCEPT
>
> $IPTABLES -A tcp_allowed_out -p TCP -o $EXTERNAL_ETH0 --sport 21 -j ACCEPT
> $IPTABLES -A tcp_allowed_out -p TCP -o $EXTERNAL_ETH0 --dport 20 -j ACCEPT
>
> allpy tcp_allowd_in to INPUT chain and tcp_allowed_out to OUTPUT chain
>
> > The clients can't even connect.
> >
> > I do an ftp from an external machine with no nat(i.e.), a public ip.
> > and nothing happends.
> >
> > Orlando
> > ---
> >
> >
>
> ----------------------------------
> E-Mail: Gregor Maier <[EMAIL PROTECTED]>
> Date: 12-Jul-2001
> Time: 09:30:49
> ----------------------------------
>
--