On Mon, Mar 7, 2011 at 7:36 PM, William L. Thomson Jr.
<[email protected]> wrote:
> On Mon, 2011-03-07 at 19:12 -0500, robert mckennon wrote:
>>
>> The ssh stuff is working, I can only ssh to the box from the private network,
>
> Ok
>
>> but if I try and ftp to the external adx (173.165.202.120) it times
>> out. (give it a try)
>
> Well all your iptables rules are to a different address, bit confused
> there. I assume you have something mapping the above address to the
> other specified in the iptables rules. Maybe you have the wrong
> destination address in the rules? You wanted 173.165.202.12 instead of
> 10.11.248.119.
>
> Also you might want PAT vs NAT
>
> iptables -t nat -A PREROUTING -i eth1 -d 173.165.202.120 -p TCP --dport 20:21
> -j DNAT --to 10.11.248.119
> iptables -t nat -A POSTROUTING -o eth1 -s 10.11.248.119 -j SNAT --to
> 173.165.202.120
>
> FYI your nat rule is using the wrong interface, its using eth0, which is
> lan. You want to NAT lan to wan, so that would be eth1. NAT anything
> coming from lan/eth0, to wan/eth1 address.
>
> But that nat rule will let any machine masquerade, not just the FTP
> server. Also doesn't handle inbound translations, just outbound. You
> need the first rule above for inbound PAT/NAT. The outbound can be done
> either way. I just like to specify what LAN IP maps to what public/WAN
> IP. If your dealing with an IP block will probably want that. Or to
> prevent machines you don't want from being able to reach the outside
> world.
>
> --
My WAN connection is Eth1 (173.165.202.120)
My LAN connection is Eth0 (10.11.248.75)
the ftp server's adx is 10.11.248.119
____________
Internet--------->| Eth1 Eth0 |------- > FTP-server
|___________|
Darnit... forgot I switched eth0 and 1.... I'll change the script....
good catch...
---------------------------------------------------------------------
Archive http://marc.info/?l=jaxlug-list&r=1&w=2
RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml
Unsubscribe [email protected]
