JASON, is this your network? or is it the companies? what i would suggest s/be analyzed based on whose it is. if its your network or its the firms and you can convince them it would be worth the effort. put a bastion ftp server on the outside lock it down and NEVER let the Internet inside otherwise why even have a firewall.... kiss principle.. any other ideas the list comes up with will no doubt be of technical assistance to you but for a longer life do it this way. control types of traffic outbound and NEVER let the outside use internal resources ever. ~piranha -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx]On Behalf Of TestMail Sent: Sunday, January 16, 2005 11:32 PM To: Jason Opperisano Cc: Netfilter Mailing List Subject: Re: FTP Forwarding ----- Original Message ----- From: "Jason Opperisano" <opie@xxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Friday, January 14, 2005 10:23 PM Subject: Re: FTP Forwarding > On Fri, 2005-01-14 at 03:57, Test Mail wrote: > > Hi!Can i have a follow up question regarding FTP server inside internal LAN > > which can be seen in the internet..... > > now what if the scenario is i want to restrict a specific Public IP Address > > in using my FTP what will be the rules that i should apply? > > > > I was thinking of setting up a rule that will filter incomming Public IP > > Address request for ftp before it forwards it into my internal FTP Server. > > > > Below are the sample entry in my iptables: > > iptables -t filter -A INPUT -p tcp -s $PublicIPAdd --dport 20:21 -j ACCEPT > > <--- is this correct? > > iptables -t filter -A INPUT -j DROP > > > > Below are the previous solution that you gave. > > > > modprobe ip_conntrack_ftp > > modprobe ip_nat_ftp > > > > iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \ > > --dport 21 -j DNAT --to-destination 192.168.0.5 > > > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \ > > --dport 21 -j ACCEPT > > change that rule to something like: > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn \ > -s $PublicIPAdd -d 192.168.0.5 --dport 21 -j ACCEPT > > repeat for multiple instances of $PublicIPAdd. > > -j > > -- > "It's not easy to juggle a pregnant wife and a troubled child, but > somehow I managed to fit in eight hours of TV a day." > --The Simpsons > I'm sorry but i think this rule will not be the solution to my problem cause my ftp server is inside my internal network and automatically my gateway will "only" be the source from the -s $PublicIPAdd Forward rule parameter... i think??? Below is my schematic on how i want it to be .. 1. only 202...1 ip address in my branch office should be allowed to use my ftp server in my head office so incoming ftp request should be filtered and only 202....1 ip address that is coming from my branch office should be allowed. | Branch | eth0 202. .1 < external | | | WAN | | | |gateway:firewall:FCore2| eth0 192.168... < internal <<<<<< | eth1 202........ <external | | |Ftp Server:FCore2| eth0 192.168.0.5 < Internal --------CUT ---------------------------------------------------------------- :::::2nd Question::::: if i apply a policy >>>> iptables -P INPUT DROP iptables -t filter -A INPUT -p tcp -s 192.168.0.1 -d 192.168.0.2 --dport 20:21 ACCEPT means only 192.168.0.1 will only be allowed to use ftp and the rest will be drop ???? am i correct?? --------CUT----------------------------------------------------------------- Thanks in advance. Still learning iptables.. Milo
