Re: iptables, ftp and dnat?

Fri, 05 Dec 2008 14:11:34 -0800 

Hi

You should try and keep this on list


Alex


On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 

[snip]

> 
> I've updated my rules to this:
> #  # allow ftpd
>   HARVARD="10.1.1.32"
>   /sbin/modprobe nf_conntrack_ftp
>   # General
>   iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>   iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
>   iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT
>   iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> 10.1.1.32:21
> 
> I think I confused myself though,  do I need the other rules I had for
> port 20 or will the first INPUT rule
> above cover that?

have a look here http://slacksite.com/other/ftp.html (quick google on
ftp & ports).

It shows you how the ports are used for ftp.

The ftp contrack module that you where loading previous should handle
the "related" ports and allow them through, what I am not sure about is
weather it will handle the dnat'ing of those port.  But then again you
could specify passive ftp only

here is another link
http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again google).


My strength is in itables not ftp (which is the reason for googling :) )

Also anything to do with iptables and firewalls you should probably read
a tutorial on iptables


> 
> Thank you for your help,  I've not done anything this complex with
> iptables before.
> 
> Robert
> 
> 
> :wq!
> ====================================================================
> Robert L. Harris                     | GPG Key ID: E344DA3B
>                                          @ x-hkp://pgp.mit.edu
> DISCLAIMER:
>       These are MY OPINIONS             With Dreams To Be A King,
>        ALONE.  I speak for              First One Should Be A Man
>        no-one else.                       - Manowar
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> 
> iD8DBQFJOZp28+1vMONE2jsRAgqcAJoD1OSBDcvPq2K7GL6Ym4xHBDRaNQCgo8WJ
> ExmTlAt0/odRCTgtkimlF/E=
> =TiTI
> -----END PGP SIGNATURE-----
> 
> 

-- 
"Obviously, I pray every day there's less casualty."

        - George W. Bush
04/11/2004
Fort Hood, TX

Attachment: signature.asc
Description: Digital signature

Reply via email to