Hi all,
I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp.
the theroy behind passive ftp is ,
- FTP server's port 21 from anywhere ( Client initiates connection)
- FTP server's port 21 to ports > 1024 (Server responds to client's control port)
- FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
- FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
Then, How can I write DNAT rules.
pls assume 1.2.3.4 is the ip of the internert interface.
#DNAT from Internet to the box running VSFTP @ 192.168.100.3
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3
And also
#connect to below ip (actual destination ip) with below ports,due to DNATing
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT
R u okay with the above 4 rules ?
If WRONG, pls write down your rules. I am going to put this vsftp server in to PRODUCTION USE.
Pls also make sure , my firewall has below rules such as DROP, ESTABLISHED,RELATED.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
YOUR comments.
--
Thank you
Indunil Jayasooriya
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
