On 10/5/07, Feizhou <feizhou@xxxxxxxxxxxx> wrote:
> Do you have ip_nat_ftp loaded too?
>
>
> YES, both ip_conntrack_ftp and ip_nat_ftp.
> pls see below
>
> #Enable tracking mechanism
> /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp
Hmm, I think the NEW for port 1024: is not necessary in FORWARD then.
The nat_ftp should handle it and thus make it ESTABLISHED,RELATED and
the ESTABLISHED,RELATED rule should therefore be sufficient.
That meas I do not nedd below rule i FORWARD chain.
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT
So below 3 rules will be enough.
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT
--
Thank you
Indunil Jayasooriya
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
