On Friday 21 February 2003 01:46 pm, Matt Riggs wrote: > I am confused. I am trying to port forward ftp from a specific host to > a server on my private network. > > I was under the impression that specifying a rule such as $iptables -t > nat -A PREROUTING -p tcp -s IP -d IP --dport 21 -j DNAT --to IP:21 > would allow this connection. > > The Catch ALL rule. > $iptables -A INPUT -j DROP > $iptables -A OUTPUT -j DROP > $iptables -A FORWARD -j DROP > > I realize it says to DROP FORWARDs but I was under the assumption that > since i declared a specific rule, it would DROP everything else( i.e. > allow that one forward rule) > > Am I completely wrong...please explain.... Yes, actually. PREROUTING is not FORWARD, they are separate chains of rules. The rule you have will DNAT FTP control port (but not any data!) but you also need a rule in FORWARD to allow it. You should usually also set the DROP as POLICY instead of a catch-all rule. Try these: insmod ip_conntrack_ftp insmod ip_nat_ftp $iptables -P INPUT DROP $iptables -P FORWARD DROP $iptables -P OUTPUT DROP $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A FORWARD -d 3.4.5.6 -p tcp --dport 21 -j ACCEPT $iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 -d 2.3.4.5 -p tcp \ --dport 21 -j DNAT --to 3.4.5.6 The first two (if you're not doing this already) are needed so that connection tracking and NAT of FTP will work properly. The next three set the DROP as a Policy, rather than as the last rule in the chain. (If you add rules after a blanket DROP rule they will never have a chance, but Policy is always last no matter what) The two FORWARD rules allow FTP control port and all ESTABLISHED or RELATED connections to be forwarded, and finally the DNAT rule itself. j > Thanks in advance > > Matt
