-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 9 Dec 2002 10:02:33 +0900, Rai Ou wrote:
> My gateway(firewall) is Redhat Linux 7.1 and I can only get 1 dynamic > ip from my provider. > So I create the IP-MASQURADE using iptables for my home-lan. > > My target is "creating a FTP server at one of my home-lan > machine(Redhat 7.2)". but now > I found it can be run as a FTP client but can't be run as a FTP server > for the Data Connection Error. > > I know the FTP protocol need 2 connections (Control connectin & Data > connection) Well, if you know that, here's food for thought without analyzing your set of rules in depth: $ getent services ftp-data ftp ftp-data 20/tcp ftp 21/tcp > so I loaded this > modules at my firewall linux box: > --------------------------------------------------------------------- > ------------------- > ip_nat_irc 4320 0 (unused) > ip_nat_ftp 3760 0 (unused) > ip_conntrack_irc 3040 0 (unused) > ip_conntrack_ftp 2480 0 (unused) > ipt_MASQUERADE 1712 1 (autoclean) > ipt_state 1200 3 (autoclean) > iptable_nat 16160 2 (autoclean) [ip_nat_irc ip_nat_ftp > ipt_MASQUERADE] > ip_conntrack 15824 4 (autoclean) [ip_nat_irc ip_nat_ftp > ip_conntrack_irc ip_conntrack_ftp > ipt_MASQUERADE ipt_state iptable_nat] > iptable_filter 2304 0 (autoclean) (unused) > ip_tables 11072 6 [ipt_MASQUERADE ipt_state iptable_nat > iptable_filter] > --------------------------------------------------------------------- > ------------------- > > and let me attache my firewall setting here: > #------------------------------- > # default INPUT/FORWARD policy > #------------------------------- > iptables -P INPUT DROP > iptables -P FORWARD DROP > #--------------------- > # clear the chains > #--------------------- > iptables -F > iptables -F -t nat > iptables -X > iptables -X -t nat > #--------------------- > # make rule & chains > #--------------------- > # Difene the default INPUT/FORWARD rule. > iptables -N default > iptables -A default -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A default -m state --state NEW -i eth0 -j ACCEPT > iptables -A default -m state --state NEW -i ! eth0 -j ACCEPT > iptables -A default -j DROP > # Use the defaule rule to the INPUT/FORWARD chains. > iptables -A INPUT -j default > iptables -A FORWARD -j default > > # Defile the pass chain and insert it to the FORWARD. > # - telnet - > iptables -t nat -A PREROUTING -i eth0 -d 219.105.XXX.XXX -p tcp > --dport 10023 > -j DNAT --to 192.168.0.128:23 > # - ftp - > iptables -t nat -A PREROUTING -i eth0 -d 219.105.XXX.XXX -p tcp > --dport 10021 > -j DNAT --to 192.168.0.128:21 > iptables -N pass > iptables -A pass -d 192.168.0.128 -p tcp --dport 23 -j ACCEPT > iptables -A pass -d 192.168.0.128 -p tcp --dport 21 -j ACCEPT > iptables -I FORWARD 1 -j pass > > # Using the ipMASQUERADE at the POSTROUTING chain. > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > Now I want to know the reason of why I can't make the FTP data > connection from > the home-lan. or...... maybe it is the Impossible mission ??? See above. Btw, re-posting a message to a mailing-list after 24 hours is a bad habit. If you haven't got an answer after a week, consider making your message more clear. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE99az40iMVcrivHFQRAk+FAJsH7hfcGlQqAeJMBtgEl7SbCOSKugCeNsE6 120Z28esfcfvRMZJbcFLedU= =4pl0 -----END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
