#modprobe ip_nat_ftp
#modprobe ip_conntrack_ftp
and now it works well
but what are these modules and what is the connection tracking. can u tell me about any usefull link
Regards Azeem
From: Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> Reply-To: netfilter@xxxxxxxxxxxxxxxxxxx To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: ftp again Date: Sat, 22 May 2004 16:56:16 +0100
On Saturday 22 May 2004 4:29 pm, azeem ahmad wrote:
> hi all
> when i run this script on my box the natting of ftp stops. neither clients
> browse in non-paasive mode nor in passive mode
> what is the problem
Perhaps you do not have the nat_ftp and conntrack_ftp modules loaded or compiled into your kernel?
> iptables -F > iptables -t nat -F > iptables -P INPUT DROP > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT > iptables -A INPUT -i eth0 -p udp --dport 8080 -j ACCEPT
What are you using UDP port 8080 for?
> iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --dport 137 -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
> iptables -t nat -A PREROUTING -p udp --dport 80 -j REDIRECT --to-port 8080
Same question as above...
> iptables -P FORWARD DROP > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 20 -j ACCEPT > iptables -A FORWARD -i eth0 -p udp --dport 20 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 21 -j ACCEPT > iptables -A FORWARD -i eth0 -p udp --dport 21 -j ACCEPT
FTP does not use UDP, so two of the above four rules are irrelevant, and
stateful packet filtering (which you are clearly using from the first rule in
your FORWARD chain) means that you do not need a rule for the data connection
on TCP port 20 - therefore you only need one of the above four rules:
iptables -A FORWARD -i eth0 -p tcp --dport 21 -j ACCEPT
> iptables -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 5000 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 5001 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 5005 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 5050 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 6660:6670 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 7000 -j ACCEPT > #iptables -A FORWARD -i eth0 -p tcp --dport 28805 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 51215 -j ACCEPT > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Regards,
Antony.
-- It is also possible that putting the birds in a laboratory setting inadvertently renders them relatively incompetent.
- Daniel C Dennet
Please reply to the list;
please don't CC me.
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail