Re: iptables, ftp and dnat?
Robert L. Harris on 05/12/08 20:35, wrote: Can I suggest something like this # one catch all for all related and established connection # as defined by connection tracking iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21 I am not sure if you need the other ports for active as the conn track module should handle that for you (works on out going not 100% sure on incoming). You need the forward statement you could add a -d 10.1.1.32, because the DNAT makes it a routed packet. you can test this with tcpdump -pni interface -port 21 or host host ip alex Using your rule I get this: iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' Try `iptables -h' or 'iptables --help' for more information. Commenting it out, everything looks good until after I log in and try to do an ls when it returns: ftp ls 227 Entering Passive Mode (10,1,1,32,205,208). Then nothing. I think Alex just forgot the '--state'. Try this: # Allow all ESTABLISHED and RELATED iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # use this for some logging of what you drop: iptables -A INPUT -j LOG --log-prefix dropped from INPUT iptables -A FORWARD -j LOG --log-prefix dropped from FORWARD # change policies of INPUT and FORWARD to DROP iptables -P INPUT DROP iptables -P FORWARD DROP Plus I agree with Anoop about the ICMP - you don't want to drop that stuff, it will cause chaos. Took me ages to figure it out. I use this: # Work around for stupid websites blocking ICMP (just for normal surfing) iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Allow ICMP for frag notification # --icmp-type 8 = ping iptables -t filter -A INPUT -p icmp -s 0/0 -d $ip_eth2 -m state --state NEW -j ACCEPT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables, ftp and dnat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tommy Bongaerts wrote: On Fri, Dec 05, 2008 at 03:30:19PM -0700, Robert L. Harris wrote: I've read both of those and understand how the ftp works. I've spent the last 2 days googling. Unfortunately it's all working now except how to get the iptables data connection in passive mode working. I can log in, etc just fine but when I do a ls after issuing the passive command it times out. The second example looks good but doesn't handle the DNAT (the ftp server is running on another machine behind my firewall. It hangs after ls? Sounds like your data traffic gets jammed somehow. Some things to consider: - did you open up the data port (this is control port minus 1)? - did you open some ports for the passive connection? - did you tell this to your server? - does the NAT machine translate the ftp packets properly? If you're using proftpd you may try set following directives in the config: PassivePortsrange MasqueradeAddress wan IP NAT/firewall machine I had the exact same problem, and this fixed it for me. I'm not doing any outbound blocking and i'm trying to figure out the syntax for the data port now. What I have is a real mess and not working. In Proftpd I have tried the PassivePorts but it seems to be ignored but the Masq directive is being picked up. I have this in my config: # These ports should be safe... PassivePorts 6 65535 when I connect I'm getting this on the server side: {0}:/home/robertlsof -i -n | grep -i ftp proftpd 568 nobody0u IPv4 447049808 TCP *:ftp (LISTEN) proftpd 578 robert0u IPv4 447049865 TCP 10.1.1.32:ftp-98.244.36.35:41893 (ESTABLISHED) proftpd 578 robert1u IPv4 447049865 TCP 10.1.1.32:ftp-98.244.36.35:41893 (ESTABLISHED) Can you paste me your data port lines? If I can get either dynamic ports working or limited ports, I'll work with it. Robert - -- :wq! Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJO/5o8+1vMONE2jsRAsW5AJwNag5H7OOmUy0nKbGLNO61hzSHAQCgkFJ8 BESrRruopzd0cd3Li3+ttUo= =GTph -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables, ftp and dnat?
It hangs after ls? Sounds like your data traffic gets jammed somehow. I know I'm jumping in halfway thru the conversation so this might have already been mentioned. But you may want to check if the firewall is blocking ICMP packets preventing PMTU being figured out correctly. The scenerio you're describing sounds too much like the case of 'Fragmentation needed but DF flag is set'. Letting the right ICMP packets (4/3, I believe) thru in your firewall usually solves these problems. anoop. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables, ftp and dnat?
On Fri, Dec 05, 2008 at 03:30:19PM -0700, Robert L. Harris wrote: [snip] here is another link http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again google). My strength is in itables not ftp (which is the reason for googling :) ) Also anything to do with iptables and firewalls you should probably read a tutorial on iptables I've read both of those and understand how the ftp works. I've spent the last 2 days googling. Unfortunately it's all working now except how to get the iptables data connection in passive mode working. I can log in, etc just fine but when I do a ls after issuing the passive command it times out. The second example looks good but doesn't handle the DNAT (the ftp server is running on another machine behind my firewall. What I do to track down iptables problems is (if you have access to all 3 machines, client server and firewall). Dump on all 3 machines, something like tcpdump -pni eth? -s 1500 -w /tmp/trace.dmp host client ip and host server ip client and server ip will vary depending on which machine you are on (natting). Also just before the drop statement in you iptables chain, put a line which logs the packets. These way you can see what is going on and create some rules to fix it. But maybe another solution is to use a ftp proxy ? (ftp-proxy) - never used it ? to get around the active passive port problem Robert - -- :wq! Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOat68+1vMONE2jsRAuFiAJ4tZUiKdn1pVMTVJooRjcpMWsHUgQCfTggd c08luNBZJjlIvtBgRnoR5+I= =ZWjq -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Tsort's Constant: 1.67563, or precisely 1,237.98712567 times the difference between the distance to the sun and the weight of a small orange. -- Terry Pratchett, The Light Fantastic (slightly modified) signature.asc Description: Digital signature
Re: iptables, ftp and dnat?
On Fri, Dec 05, 2008 at 03:30:19PM -0700, Robert L. Harris wrote: I've read both of those and understand how the ftp works. I've spent the last 2 days googling. Unfortunately it's all working now except how to get the iptables data connection in passive mode working. I can log in, etc just fine but when I do a ls after issuing the passive command it times out. The second example looks good but doesn't handle the DNAT (the ftp server is running on another machine behind my firewall. It hangs after ls? Sounds like your data traffic gets jammed somehow. Some things to consider: - did you open up the data port (this is control port minus 1)? - did you open some ports for the passive connection? - did you tell this to your server? - does the NAT machine translate the ftp packets properly? If you're using proftpd you may try set following directives in the config: PassivePortsrange MasqueradeAddress wan IP NAT/firewall machine I had the exact same problem, and this fixed it for me. -- Good day for a change of scene. Repaper the bedroom wall. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables, ftp and dnat?
On Fri, Dec 5, 2008 at 12:35 PM, Robert L. Harris [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Help... I have the following in my firewall startup script: ... I am trying to forward public internet ftp traffic to a machine behind my firewall. Anyone have this working? Mine is failing and I have no real debug info to explain why Robert - -- :wq! Before accusing the firewall, is ip forwarding turned on in /etc/sysctl.con ? Stuart
Re: iptables, ftp and dnat?
On Fri, Dec 5, 2008 at 12:52 PM, S Scharf [EMAIL PROTECTED] wrote: On Fri, Dec 5, 2008 at 12:35 PM, Robert L. Harris [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Help... I have the following in my firewall startup script: ... I am trying to forward public internet ftp traffic to a machine behind my firewall. Anyone have this working? Mine is failing and I have no real debug info to explain why Robert - -- :wq! Before accusing the firewall, is ip forwarding turned on in /etc/sysctl.con ? Stuart Oops, that should be /etc/sysctl.conf Stuart
Re: iptables, ftp and dnat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 yes it is and I am successfully routing port 80/http to a different server behind the firewall just fine. S Scharf wrote: On Fri, Dec 5, 2008 at 12:52 PM, S Scharf [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Fri, Dec 5, 2008 at 12:35 PM, Robert L. Harris [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Help... I have the following in my firewall startup script: ... I am trying to forward public internet ftp traffic to a machine behind my firewall. Anyone have this working? Mine is failing and I have no real debug info to explain why Robert - -- :wq! Before accusing the firewall, is ip forwarding turned on in /etc/sysctl.con ? Stuart Oops, that should be /etc/sysctl.conf Stuart - -- :wq! Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOXK+8+1vMONE2jsRArvxAKDPgunJeuJfl51WyeG5Lcw5azIzLQCg2sxW 0MEkOpKxQmhumqy9vEHI/wE= =6SHP -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables, ftp and dnat?
On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Help... I have the following in my firewall startup script: /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT - --to 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT - --to 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED - -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state - --state ESTABLISHED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state - --state ESTABLISHED,RELATED -j ACCEPT Can I suggest something like this # one catch all for all related and established connection # as defined by connection tracking iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21 I am not sure if you need the other ports for active as the conn track module should handle that for you (works on out going not 100% sure on incoming). You need the forward statement you could add a -d 10.1.1.32, because the DNAT makes it a routed packet. you can test this with tcpdump -pni interface -port 21 or host host ip alex I am trying to forward public internet ftp traffic to a machine behind my firewall. Anyone have this working? Mine is failing and I have no real debug info to explain why Robert - -- :wq! Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOWZz8+1vMONE2jsRAiGhAKDegPgFRU+X7CDblJAvkPIemPHu7ACgwJo3 8K6ABSfK+3JJIgFEbK2IsxA= =kAMe -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Darth Vader sleeps with a Teddywookie. signature.asc Description: Digital signature
Re: iptables, ftp and dnat?
On Fri, 2008-12-05 at 18:35 +0100, Robert L. Harris wrote: From: Robert L. Harris [EMAIL PROTECTED] To: debian-user@lists.debian.org debian-user@lists.debian.org Subject: iptables, ftp and dnat? Date: Fri, 5 Dec 2008 18:35:47 +0100 (19:35 EET) Help... I have the following in my firewall startup script: I am trying to forward public internet ftp traffic to a machine behind my firewall. Anyone have this working? Mine is failing and I have no real debug info to explain why Robert Did you think about that FTP re-connects back? Hence, use passive FTP: $ ftp -p some.domain Best, Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables, ftp and dnat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Samad wrote: On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote: Help... I have the following in my firewall startup script: /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT Can I suggest something like this # one catch all for all related and established connection # as defined by connection tracking iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21 I am not sure if you need the other ports for active as the conn track module should handle that for you (works on out going not 100% sure on incoming). You need the forward statement you could add a -d 10.1.1.32, because the DNAT makes it a routed packet. you can test this with tcpdump -pni interface -port 21 or host host ip alex Using your rule I get this: iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' Try `iptables -h' or 'iptables --help' for more information. Commenting it out, everything looks good until after I log in and try to do an ls when it returns: ftp ls 227 Entering Passive Mode (10,1,1,32,205,208). Then nothing. - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] - -- :wq! Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9SjAZ1hJocACgzxng zJ1PCcrv5s6xd2nn+OIizG8= =LYdZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables, ftp and dnat?
On Fri, Dec 05, 2008 at 01:35:25PM -0700, Robert L. Harris wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Samad wrote: On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote: Help... I have the following in my firewall startup script: /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT Can I suggest something like this # one catch all for all related and established connection # as defined by connection tracking iptables -I INPUT RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21 I am not sure if you need the other ports for active as the conn track module should handle that for you (works on out going not 100% sure on incoming). You need the forward statement you could add a -d 10.1.1.32, because the DNAT makes it a routed packet. you can test this with tcpdump -pni interface -port 21 or host host ip alex Using your rule I get this: iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' Try `iptables -h' or 'iptables --help' for more information. ops early morning emailing forgot the -m state --state iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Commenting it out, everything looks good until after I log in and try to do an ls when it returns: ftp ls 227 Entering Passive Mode (10,1,1,32,205,208). Then nothing. you can use 2 methods track it down, tcpdump on the outside and the inside interface or -j LOG statements to see what is getting drop/rejected (maybe first try again with the related/establish line working) - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] - -- :wq! Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9SjAZ1hJocACgzxng zJ1PCcrv5s6xd2nn+OIizG8= =LYdZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- After all, a week ago, there were -- Yasser Arafat was boarded up in his building in Ramallah, a building full of, evidently, German peace protestors and all kinds of people. They're now out. He's now free to show leadership, to lead the world. - George W. Bush 05/02/2002 Washington, DC signature.asc Description: Digital signature
Re: iptables, ftp and dnat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Commenting it out, everything looks good until after I log in and try to do an ls when it returns: ftp ls 227 Entering Passive Mode (10,1,1,32,205,208). Then nothing. I've configured my ftp server to use a specific, small range of ports for passive mode data, then poked a hole in the iptables filter for them. What you're describing sounds like the reason I did that... - -- Glenn English [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk5lckACgkQ04yQfZbbTLbRZACfVLeqhijpDKKrinG7vAJZu8w4 OEMAni9ryKM4Mepy+APl16pZUWokrNY8 =b+z+ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables, ftp and dnat?
Hi You should try and keep this on list Alex On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [snip] I've updated my rules to this: # # allow ftpd HARVARD=10.1.1.32 /sbin/modprobe nf_conntrack_ftp # General iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21 I think I confused myself though, do I need the other rules I had for port 20 or will the first INPUT rule above cover that? have a look here http://slacksite.com/other/ftp.html (quick google on ftp ports). It shows you how the ports are used for ftp. The ftp contrack module that you where loading previous should handle the related ports and allow them through, what I am not sure about is weather it will handle the dnat'ing of those port. But then again you could specify passive ftp only here is another link http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again google). My strength is in itables not ftp (which is the reason for googling :) ) Also anything to do with iptables and firewalls you should probably read a tutorial on iptables Thank you for your help, I've not done anything this complex with iptables before. Robert :wq! Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOZp28+1vMONE2jsRAgqcAJoD1OSBDcvPq2K7GL6Ym4xHBDRaNQCgo8WJ ExmTlAt0/odRCTgtkimlF/E= =TiTI -END PGP SIGNATURE- -- Obviously, I pray every day there's less casualty. - George W. Bush 04/11/2004 Fort Hood, TX signature.asc Description: Digital signature
Re: iptables, ftp and dnat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Samad wrote: Hi You should try and keep this on list Sorry, hit reply instead of reply all. Alex On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote: [snip] I've updated my rules to this: # # allow ftpd HARVARD=10.1.1.32 /sbin/modprobe nf_conntrack_ftp # General iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21 I think I confused myself though, do I need the other rules I had for port 20 or will the first INPUT rule above cover that? have a look here http://slacksite.com/other/ftp.html (quick google on ftp ports). It shows you how the ports are used for ftp. The ftp contrack module that you where loading previous should handle the related ports and allow them through, what I am not sure about is weather it will handle the dnat'ing of those port. But then again you could specify passive ftp only here is another link http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again google). My strength is in itables not ftp (which is the reason for googling :) ) Also anything to do with iptables and firewalls you should probably read a tutorial on iptables I've read both of those and understand how the ftp works. I've spent the last 2 days googling. Unfortunately it's all working now except how to get the iptables data connection in passive mode working. I can log in, etc just fine but when I do a ls after issuing the passive command it times out. The second example looks good but doesn't handle the DNAT (the ftp server is running on another machine behind my firewall. Robert - -- :wq! Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOat68+1vMONE2jsRAuFiAJ4tZUiKdn1pVMTVJooRjcpMWsHUgQCfTggd c08luNBZJjlIvtBgRnoR5+I= =ZWjq -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]