Hi Narendran,
On 11/10/2009 01:13 PM, narendran krishnan wrote:
hi,
We are trying to make a NAT box ready. setup will be something like
this - a gateway kind of computer (NAT box) is connected to the
internet and 4-5 five other computer is connected to this NAT box
through a switch.
we intend to access the internet from the computers connected to NAT
box and do some basic stuffs like browsing, ftp download, voip (sip,
h323), peer-to-peer file sharing etc..
Ignore Girish, he is just trying to scare you into thinking doing what you need
is some sort of complicated dark magic which is better done using OpenBSD.
It is not all that complicated, if you understand what you are doing.
searching the net, we managed to add the following masquerading rule
after enabling ip forwarding:
/sbin/iptables -A POSTROUTING -t nat -o eth1 -s 192.168.100.0/24 -d
0/0 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE
after adding this rule we able do basic HTTP browsing.
By this i assume that you have at least a basic understanding of how iptables
and NAT work.
NAT box is connected to internet through a switch which also has
another test server where the ftp server is running. when we try doing
ftp from the internal computers to the ftp test server we face
problems. when we use command like "ls", "mget", etc.. we were getting
"port illegal" error. internet searches pointed to active and passive
mode issues in ftp. though i understand this active and passive stuff,
we are unable to determine the exact iptable rules to be added in the
NAT box. internet search also says about this ALG ip_conntrack_ftp
which needs to be loadded. what we need is, clarity about the rules to
be added and the modules to be loaded in the NAT box so that ftp (both
active and passive mode) starts working.
You need to load the 'ip_conntrack_ftp' and 'ip_nat_ftp' modules and ...
iptables -A INPUT -p TCP -i eth1 --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
should do it (i think ..this is untested, i just made that up with a quick look
at the docs).
However, the point is the ip_conntrack_ftp and ip_nat_ftp modules do all the
required heavy lifting for ftp that Girish alluded to in his mail.
For VoIP and P2P ..although it can be done, NAT is not the most efficient thing
to do for these protocols. It would be better if you used port forwarding rather
than NAT. Look up google and you should find the reasons and the solutions.
we also understand the
potential security issues and would like to address that too.
All of this and more is very well documented, please take some time off to read
the docs and come back with some more /specific/ questions:
http://www.netfilter.org/documentation/index.html
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
cheers,
- steve
--
random non tech spiel: http://lonetwin.blogspot.com/
tech randomness: http://lonehacks.blogspot.com/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
_______________________________________________
To unsubscribe, email [email protected] with
"unsubscribe <password> <address>"
in the subject or body of the message.
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
