Le mar 18/02/2003 à 10:45, Eric Constantineau a écrit : > I still have problems with FTP, it has to be set with "enable firewall > access" to be able to run well (I run cuteftp), passive mode or not. I > want ftp to be transparent as if there were no firewall at all, so users > are not annoyed by settings... modprobe ip_conntrack_ftp modprobe ip_nat_ftp Then play with state stuff (NEW, ESTABLISHED and RELATED). FTP helper will handle everything right when you'll authorize TCP port 21. > Another thing is how could I set up a web server behind my firewall, I > read a bit about DNAT and SNAT, but still doesnt work from internet. It > works inside, in the same LAN, but over the net, the server is > unreachable... > See the problem is, all my lan, including the firewall, has the same WAN > IP Address, lets say 1.2.3.4... So when I connect to 1.2.3.4 with > destination port 80, with my DNAT settings : > > iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT > --to-destination 4.3.2.1 > it should redirect all packets to the web server lan ip(4.3.2.1) Yes it should. If it does not work, it may be a FORWARD filtering problem. Have you authorized such traffic through FORWARD rule e.g. : iptables -A FORWARD -m state --state ESTABLISHED -p tcp \ -s 4.3.2.1 --sport 80 -j ACCEPT iptables -A FORWARD -m state --state NEW -p tcp -d 4.3.2.1 \ --dport 80 -j ACCEPT If not, it won't work. > then for the connexion within the LAN to this server I still have to add > this line : > iptables -t nat -A POSTROUTING -s 4.3.2.1 -p tcp --sport 80 -j SNAT > --to-source 1.2.3.4 No, you don't. Once a connection est established from outside to this server, it is handled automagicly by Netfilter NAT stuff. This rule will be useful if your 4.3.2.1 is to established connections to the outside, which does not seem, regarding your rule, to be the case. Things you can do are : . look at counters to see which rules are matching packets : iptables -L -v iptables -t nat -L -v . add debugging stuff using LOG target to track your packets Should also read Linux Mag' HS 12, there's an article on Netfilter's internals that can help you understand the NAT is going ;))) -- Cédric Blancher <blancher@cartel-securite.fr> IT systems and networks security expert - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
