On Fri, Dec 05, 2008 at 01:35:25PM -0700, Robert L. Harris wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Samad wrote: > > On Fri, Dec 05, 2008 at 10:35:47AM -0700, Robert L. Harris wrote: > > > > Help... I have the following in my firewall startup script: > > > > /sbin/modprobe nf_conntrack_ftp $IPTABLES -A INPUT -p tcp --dport > > 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A > > PREROUTING -t nat -p tcp -i $IFACE --dport 21 -j DNAT --to > > 10.1.1.32:21 $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state > > NEW,ESTABLISHED -j ACCEPT # Active $IPTABLES -A INPUT -p tcp > > --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES > > -A PREROUTING -t nat -p tcp -i $IFACE --sport 20 -j DNAT --to > > 10.1.1.32:20 $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state > > ESTABLISHED -j ACCEPT # Passive $IPTABLES -A INPUT -p tcp --sport > > 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT > > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 1024: -j > > DNAT --to 10.1.1.32 $IPTABLES -A OUTPUT -p tcp --sport 1024: > > --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT > > > >> Can I suggest something like this > > > > > >> # one catch all for all related and established connection # as > >> defined by connection tracking iptables -I INPUT > >> RELATED,ESTABLISHED -j ACCEPT > > > > > >> iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j > >> ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW > >> -j ACCEPT > > > >> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to > >> 10.1.1.32:21 > > > >> I am not sure if you need the other ports for active as the conn > >> track module should handle that for you (works on out going not > >> 100% sure on incoming). > > > >> You need the forward statement you could add a -d 10.1.1.32, > > because the > >> DNAT makes it a routed packet. > > > >> you can test this with tcpdump -pni <interface> -port 21 or host > >> <host ip> > > > >> alex > > > > > > Using your rule I get this: > > iptables v1.4.1.1: Invalid rule number `RELATED,ESTABLISHED' > Try `iptables -h' or 'iptables --help' for more information.
ops early morning emailing forgot the
-m state --state
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> Commenting it out, everything looks good until after I log in and try
> to do an "ls" when it returns:
> ftp> ls
> 227 Entering Passive Mode (10,1,1,32,205,208).
>
> Then nothing.
you can use 2 methods track it down, tcpdump on the outside and the
inside interface or -j LOG statements to see what is getting
drop/rejected (maybe first try again with the related/establish line
working)
>
>
> >>
> - --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
> >>
> >>
>
> - --
>
> :wq!
> ====================================================================
> Robert L. Harris | GPG Key ID: E344DA3B
> @ x-hkp://pgp.mit.edu
> DISCLAIMER:
> These are MY OPINIONS With Dreams To Be A King,
> ALONE. I speak for First One Should Be A Man
> no-one else. - Manowar
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iD8DBQFJOZCN8+1vMONE2jsRAmN5AJ9deOibPWbPGOxXRQp9SjAZ1hJocACgzxng
> zJ1PCcrv5s6xd2nn+OIizG8=
> =LYdZ
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>
--
"After all, a week ago, there were -- Yasser Arafat was boarded up in his
building in Ramallah, a building full of, evidently, German peace protestors
and all kinds of people. They're now out. He's now free to show leadership, to
lead the world."
- George W. Bush
05/02/2002
Washington, DC
signature.asc
Description: Digital signature
