Re: Newbie question about nat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Monday 03 May 2004 4:33 pm, Oriol Magrané wrote:

>     Thank you!
>     Now I'd like to set up an ftp server inside with private ip
> 192.168.1.111 and public ip a.b.c.k
>     So the nat rules will be:
>
>         iptables -t nat -A PREROUTING -d a.b.c.k -j DNAT --to 192.168.1.111
>         iptables -t nat -A POSTROUTING -s 192.168.1.111 -j SNAT --to
> a.b.c.k
>
>     However I don't know how to use the ip_conntrack_ftp and ip_nat_ftp
> modules when it comes to write the accept/drop rules.
>     If the server was a web server, I would use these rules:
>
>         iptables -A FORWARD -d 192.168.1.111 -p tcp --destination-port 80
> -m state --state NEW,ESTABLISHED -j ACCEPT
>         iptables -A FORWARD -s 192.168.1.111 -p tcp --source-port 80 -m
> state --state ESTABLISHED -j ACCEPT

I don't normally write an ESTABLISHED rule for each protocol (specifying the 
source port) - I would normally have just one rule on a firewall allowing 
reply packets for all protocols:

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

You don't need to bother about securing the machines it's supposed to allow 
connections from (-s) or the protocols it's supposed to allow (-p tcp, 
--sport) because those have already been taken care of by the rule allowing 
the connection to get set up in the first place.   Note the -I (insert) to 
make sure this rule appears at the top of the FORWARD chain for efficiency.

>     But how should they be to allow active ftp access to 192.168.1.111
> using the ip_conntrack_ftp and ip_nat_ftp modules?

iptables -A FORWARD -d 192.168.1.111 -p tcp --dport 21 -j ACCEPT

along with the single system-wide rule I gave above.

Regards,

Antony.

-- 
"There has always been an underlying argument that we should open up our 
source code more broadly. The fact is that we are learning from open source 
and we are opening our code more broadly through Shared Source.

Is there value to providing source code? The answer is unequivocally yes."

 - Jason Matusow, head of Microsoft's Shared Source Program, in response to 
recent leaks of Windows source code on the Internet.

                                                     Please reply to the list;
                                                           please don't CC me.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux