Re: iptables, ftp and dnat?



Hi

You should try and keep this on list


Alex


On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




[snip]


I've updated my rules to this:
# # allow ftpd
HARVARD="10.1.1.32"
/sbin/modprobe nf_conntrack_ftp
# General
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
10.1.1.32:21

I think I confused myself though, do I need the other rules I had for
port 20 or will the first INPUT rule
above cover that?

have a look here http://slacksite.com/other/ftp.html (quick google on
ftp & ports).

It shows you how the ports are used for ftp.

The ftp contrack module that you where loading previous should handle
the "related" ports and allow them through, what I am not sure about is
weather it will handle the dnat'ing of those port. But then again you
could specify passive ftp only

here is another link
http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again google).


My strength is in itables not ftp (which is the reason for googling :) )

Also anything to do with iptables and firewalls you should probably read
a tutorial on iptables



Thank you for your help, I've not done anything this complex with
iptables before.

Robert


:wq!
====================================================================
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJOZp28+1vMONE2jsRAgqcAJoD1OSBDcvPq2K7GL6Ym4xHBDRaNQCgo8WJ
ExmTlAt0/odRCTgtkimlF/E=
=TiTI
-----END PGP SIGNATURE-----



--
"Obviously, I pray every day there's less casualty."

- George W. Bush
04/11/2004
Fort Hood, TX

Attachment: signature.asc
Description: Digital signature



Relevant Pages

  • Re: Understanding iptables FC4
    ... > possible that your machine is still blocking the ports, ... > because I am not an iptables expert. ... I personally never allow FTP on servers I manage as it is an insecure ...
    (alt.os.linux)
  • Re: Newbie question about ports.
    ... Can you do a CVSup to update your ports via http? ... Cvsup does not support http, but neither does it use ftp (see man cvsup, ... openable through your firewall. ...
    (freebsd-questions)
  • RE: FTP Server on SBS 2003
    ... When I access the ftp site ... In the properties the ftp is set to "all assigned ports" should this ... > You connect the SBS to a third party Router and forward port 21 to the SBS ... The network administrator of the server network can consult the ...
    (microsoft.public.windows.server.sbs)
  • RE: Passive FTP
    ... Some FTP servers are able to set the passive ports he can use, ... Onderwerp: Passive FTP ... Dit E-mail bericht is slechts bestemd voor de persoon aan wie het is ...
    (Security-Basics)
  • Re: Ideas on solving the file transfer problem
    ... out of the range of easy solution for the vast majority of users? ... Port 21 may be the default port for FTP, ... Given the two channel nature of FTP, NAT is a bigger problem than ... Firewalls can be configured by the end-user to open the necessary ports. ...
    (comp.programming)