I have been googling all day trying to sort this out. I have an
iptables gateway. I can connect to outside FTP servers from the gateway
using either active or passive by using the ESTABLISHED,RELATED
matching rule. I can also use active from any of the masqueraded boxes
to walk around the dir tree, but cannot download anything. I cannot use
passive to even get a file listing.
I use a very tight set of egress rules because some boxes on the
network will be windows boxes, so only certain ports are allowed out.
However, the ip_nat_ftp module (which is loaded) is supposed to allow
for connection tracking over NAT, but I cannot seem to sort out the
correct command to allow it. All examples I have found via google, and
the BLFS book itself, seem to assume no egress filtering or assume
opening up a limited set of arbitrary high ports and setting the ftp
client to use those ports (which essentially makes those ports wide
open to anything wanting to get out of the firewall). Neither of those
two methods are acceptable.
Here's the relevant rules (IPT=/sbin/iptables):
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -i eth1 -p tcp --dport 21 -j ACCEPT
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Can someone suggest what sort of rule construct I need or where to look
for this specfic scenario?
Thanks!
__________________________________
Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
