RE: DNAT and Forwarding FTP to internal Server

Stewart Thompson Sun, 28 Apr 2002 11:16:24 -0700

Chasper:

        If you want outside machines to be able to establish ftp connections.
You will have to add "NEW" to your forward rule as well. Something like.


$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --dport 21 -j
DNAT --to $FTPSERVER

$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state
NEW,ESTABLISHED,RELATED \
-d $FTPSERVER --dport 21 -j ACCEPT

        I don't usually run an internal FTP Server, but I copied the rule from
ports I do forward and
changed the dport to 21. It seemed to work fine for me coming in from
another machine on the
Internet. Try it out. Hope that helps.

Stu.........



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Chasper L�pfe (OLMi)
Sent: April 28, 2002 10:43 AM
To: [EMAIL PROTECTED]
Subject: DNAT and Forwarding FTP to internal Server

Hello

I've got a little problem with DNAT. I use MASQUERADING with SNAT for my
internal network and it's working. I also want to forward ftp requests
from the outside to a internal server. But thats not working. None ftp
traffic is forwarded to the internal network.

I know there is a problem with the forwarding chain, but I can't get it
to work...what rule(s) do I need to add?

Here is my script:

#!/bin/sh

LAN_INT="eth1"
LAN_EXT="eth0"

Route add default gw 195.x.x.1

Iptables -F
Iptables -F -t nat

Iptables --policy INPUT DROP
Iptables --policy OUTPUT DROP
Iptables --policy FORWARD DROP
Iptables -t nat --policy PREROUTING DROP
Iptables -t nat --policy POSTROUTING DROP

Iptables -A INPUT -p icmp -m limit --limit 3/s -j ACCEPT
Iptables -A OUTPUT -p icmp -j ACCEPT

Echo "1" > /proc/sys/net/ipv4/ip_forward

#MASQ
Iptables -t nat -A POSTROUTING -o $LAN_EXT -s 192.168.1.0/24 -j SNAT
--to 195.x.x.2
Iptables -A FORWARD -i $LAN_EXT -m state --state ESTABLISHED,RELATED -j
ACCEPT
Iptables -A FORWARD -i $LAN_INT -s 192.168.1.0/24 -j ACCEPT

#FTP
Iptables -A PREROUTING -t nat -p tcp -i $LAN_EXT --dport 21 -j DNAT to
192.168.1.19:21


Thanks for your help

Chasper

RE: DNAT and Forwarding FTP to internal Server

Reply via email to