On Mon, 2005-02-14 at 09:25 -0800, Hudson Delbert J Contr 61 CS/SCBN wrote: > travis, > > re-state your scenario. its incomplete. > > how do you know its running fine? Normal Web traffic, ftp users outside the firewall coming in, windows boxes behind the firewall, etc. are all running and accessing information as expected. > > what distro and version of linux are you running? Mandrake 8.1, kernel 2.4.8-26mdk > > what doesn the config for ftp look like? Rules for ftp: # Network information you will need to adjust INTERNALIF="eth1" INTERNALNET="192.168.2.0/24" INTERNALBCAST="192.168.2.255" EXTERNALIF="eth0" MYADDR="12.42.147.158" # Only needed for DNAT, leave out otherwise #Insert modules- should be done automatically if needed /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp #Allow replies coming in $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Send ftp to an internal machine $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 20 -j DNAT --to 192.168.2.5:20 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 20 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $EXTERNALIF -p tcp -d $MYADDR --dport 21 -j DNAT --to-destination 192.168.2.5 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.2.5 --dport 21 -j ACCEPT $IPTABLES -A FORWARD -i $EXTERNALIF -o $INTERNALIF -p tcp --syn -d 192.168.2.5 --dport 21 -j ACCEPT #Masquerade internal connections going out. $IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE > > is the blocked by default. > > when you say my windows machines dont seem ot have this problem.. > where do these windoze boxen sit? All computers (linux and windows) are on an internal network connected via a switch to the firewall. > > anything anybody on this list offers up as a solution will not > be thought out well and will basically be a guess. > > i'm a visual person - draw me pix of your networks and > sanitize the ip with rfc1918 addresses and bitmasks as it Not quite sure I understand this... > makes no difference as its all cidr..... > Network picture Internet --> firewall --> internal network (linux and windows) firewall --> incoming ports: 80, 8080, 110, 25, 443, 143, 20, 21, all get routed to internal servers. The rest are dropped/denied. internal network: should be completely masqueraded by the firewall #Masquerade internal connections going out. $IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE > guessing is a bad idea.... > Agreed. > > need waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay more info. > Anything else? Will gladly provide it. Thanks! -- Travis Crook Visions Beyond www.VisionsBeyond.com (208) 478-7836 > ~piranha > > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx]On Behalf Of Travis Crook > Sent: Monday, February 14, 2005 9:08 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: ftp behind the firewall > > > Hi all, > I would like to ask a question just for clarification. I have a > firewall up and running just fine. My problem is that I cannot ftp > through the firewall on a linux machine. My windows machines don't seem > to have this problem. Am I missing something? Or is it a local linux > computer configuration issue. I'll gladly provide any necessary > information. > > Thanks! > >
