On Tue, Nov 10, 2009 at 1:13 PM, narendran krishnan <[email protected]> wrote: > hi, > We are trying to make a NAT box ready. setup will be something like > this - a gateway kind of computer (NAT box) is connected to the > internet and 4-5 five other computer is connected to this NAT box > through a switch.
Your goal is bit unclear. All ISP Modems/routers do NAT anyway. What are you trying to do? > we intend to access the internet from the computers connected to NAT > box and do some basic stuffs like browsing, ftp download, voip (sip, > h323), peer-to-peer file sharing etc.. What makes you think that all this is basic stuff? Of course not. VoIP is hard. FTP is very hard. Only browsing is basic. > searching the net, we managed to add the following masquerading rule > after enabling ip forwarding: > /sbin/iptables -A POSTROUTING -t nat -o eth1 -s 192.168.100.0/24 -d > 0/0 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE What does this line do? > after adding this rule we able do basic HTTP browsing. As I said only this is basic. > NAT box is connected to internet through a switch which also has > another test server where the ftp server is running. when we try doing > ftp from the internal computers to the ftp test server we face > problems. when we use command like "ls", "mget", etc.. we were getting > "port illegal" error. internet searches pointed to active and passive Passive FTP is easier to get working but you will hit the same problem with FTP and all VoIP applications. It uses multiple ports and ports are decided dynamically. Getting these working with NAT is a lot of work. All commercial NAT boxes do the necessary jugglery. But I am wondering what your end goal is. The issue with FTP and SIP is that there is a separate TCP connection necessary for operation after establishing the first connection which is rather trivial. In the case of FTP, you first establish a control connection on port 21 and then you have a data connection which starts up a new TCP connection. This is the problem. This will not work across NAT(without reading the FTP payload). Same issue with Windows PPTP. Ditto with SIP. SIP can also work with UDP, so you can get by with a technique called UDP holepunching. http://linuxjournal.com/9004 Anyway H.323 also needs special configuration. Only web browsing is easy and basic. > though i understand this active and passive stuff, > we are unable to determine the exact iptable rules to be added in the > NAT box. internet search also says about this ALG ip_conntrack_ftp > which needs to be loadded. what we need is, clarity about the rules to > be added and the modules to be loaded in the NAT box so that ftp (both > active and passive mode) starts working. we also understand the > potential security issues and would like to address that too. What potential security issues? Of giving applications access behind a NAT box? Nothing to worry about. First try to get them working with the appropriate configurations. One rule is not quite enough. You need multiple iptables rules. OpenBSD pf is much simpler but you will have a learning curve. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com _______________________________________________ To unsubscribe, email [email protected] with "unsubscribe <password> <address>" in the subject or body of the message. http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
