RE: [expert] Iptables

[Orlando Reis]

Thanks it worked.

Orlando

On Thu, 12 Jul 2001, Gregor Maier wrote:

> 
> On 11-Jul-2001 Orlando Reis wrote:
> > Hi was wondering if someone can give me some help
> > with a problem i'm having with iptables. I wan't to allow
> > people to connect to an internal ftp server.
> > But some how it doesn't work.
> > These are rules I' using for doing the job:
> > 
> > $IPTABLES -A tcp_allowed -p TCP -i $EXTERNAL_ETH0 --dport 21 -j ACCEPT
> > $IPTABLES -A tcp_allowed -p TCP -i $EXTERNAL_ETH0 --dport 20 -j ACCEPT
> > 
> > $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 21 -j DNAT
> > --to $INTERNAL_FTP:21
> > $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_ETH0 -s $INTERNAL_FTP -j SNAT
> > --to $EXTERNAL_IP
> 
> You must also allow packages with sourceport 20, 21 (ftp-data and ftp). Since
> the every packages the server sends has the source port ftp. Same for ftp-data
> (but this time it's the clients side).
> In your configuration the client can send packages to the server but the
> firewall blocks all responses from that server.
> 
> 
> $IPTABLES -A tcp_allowed_in -p TCP -i $EXTERNAL_ETH0 --dport 21 -j ACCEPT
> $IPTABLES -A tcp_allowed_in -p TCP -i $EXTERNAL_ETH0 --sport 20 -j ACCEPT
> 
> $IPTABLES -A tcp_allowed_out -p TCP -o $EXTERNAL_ETH0 --sport 21 -j ACCEPT
> $IPTABLES -A tcp_allowed_out -p TCP -o $EXTERNAL_ETH0 --dport 20 -j ACCEPT
> 
> allpy tcp_allowd_in to INPUT chain and tcp_allowed_out to OUTPUT chain
> 
> > The clients can't even connect.
> > 
> > I do an ftp from an external machine with no nat(i.e.), a public ip.
> > and nothing happends.
> > 
> > Orlando
> > ---
> > 
> > 
> 
> ----------------------------------
> E-Mail: Gregor Maier <[EMAIL PROTECTED]>
> Date: 12-Jul-2001
> Time: 09:30:49
> ----------------------------------
> 

--