Firewall blocking FTP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ok. I goofed somewhere. I setup a firewall to do port forwarding, ip 
masquerading, and port blocking. All seems to work fine, EXCEPT that I 
cannot connect to ftp servers using the pasv method. The port method seems 
to be working ok, but some places don't support port anymore. They only 
support pasv (or at least they default to pasv). So how can I modify the 
rules shown below (from iptables-save) to make port AND pasv ftp work?

Thanks!

--- Dan

P.S. I'm not subscribed to the list, so please CC me on your replies.

# Generated by iptables-save v1.2.8 on Thu Sep 11 20:15:39 2003
*nat
:PREROUTING ACCEPT [1096:83209]
:POSTROUTING ACCEPT [1873:150574]
:OUTPUT ACCEPT [3386:269119]
-A PREROUTING -s ! 192.168.0.0/255.255.255.0 -p tcp -m multiport --dports 8021,8023,webcache,binkp,65535,3021 -j DNAT --to-destination 192.168.0.10 
-A PREROUTING -s ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 23 -j DNAT --to-destination 192.168.0.10:8023 
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Thu Sep 11 20:15:39 2003
# Generated by iptables-save v1.2.8 on Thu Sep 11 20:15:39 2003
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [20509:13605663]
:OUTPUT ACCEPT [17786:3595002]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 2064 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8021,8023,webcache,binkp,65535 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --sport 137 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 139 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports smtp,ftp,telnet,ssh,sunrpc,8025,pgpkeyserver -j ACCEPT 
-A INPUT -p tcp -m multiport --dports telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-dgm,netbios-ssn,sunrpc -j ACCEPT 
-A INPUT -p udp -m multiport --dports domain,ntp,router,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p udp -m multiport --dports daytime,time,utime,timed -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 11370 -j ACCEPT 
-A INPUT -i eth1 -p icmp -m limit --limit 3/sec -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-unreachable 
COMMIT
# Completed on Thu Sep 11 20:15:39 2003
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux